{"id":4507,"date":"2025-08-10T01:03:03","date_gmt":"2025-08-10T01:03:03","guid":{"rendered":"https:\/\/uplatz.com\/blog\/?p=4507"},"modified":"2025-08-10T01:03:03","modified_gmt":"2025-08-10T01:03:03","slug":"trivy-pocket-book","status":"publish","type":"post","link":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/","title":{"rendered":"Trivy Pocket Book"},"content":{"rendered":"<p><!-- Trivy Pocket Book \u2014 Uplatz (50 Cards, Wide Layout, Readable Code, Scoped Styles) --><\/p>\n<div style=\"margin:16px 0;\">\n<style>\n    .wp-trivy-pb { font-family: Arial, sans-serif; max-width: 1320px; margin:0 auto; }\n    .wp-trivy-pb .heading{\n      background: linear-gradient(135deg, #e0f2fe, #ede9fe); \/* light blue -> light violet *\/\n      color:#0f172a; padding:22px 24px; border-radius:14px;\n      text-align:center; margin-bottom:18px; box-shadow:0 8px 20px rgba(0,0,0,.08);\n      border:1px solid #cbd5e1;\n    }\n    .wp-trivy-pb .heading h2{ margin:0; font-size:2.1rem; letter-spacing:.2px; }\n    .wp-trivy-pb .heading p{ margin:6px 0 0; font-size:1.02rem; opacity:.9; }<\/p>\n<p>    \/* Wide, dense grid *\/\n    .wp-trivy-pb .grid{\n      display:grid; gap:14px;\n      grid-template-columns: repeat(auto-fill, minmax(400px, 1fr));\n    }\n    @media (min-width:1200px){\n      .wp-trivy-pb .grid{ grid-template-columns: repeat(3, 1fr); }\n    }<\/p>\n<p>    .wp-trivy-pb .section-title{\n      grid-column:1\/-1; background:#f8fafc; border-left:8px solid #06b6d4; \/* cyan *\/\n      padding:12px 16px; border-radius:10px; font-weight:700; color:#0f172a; font-size:1.08rem;\n      box-shadow:0 2px 8px rgba(0,0,0,.05); border:1px solid #e2e8f0;\n    }\n    .wp-trivy-pb .card{\n      background:#ffffff; border-left:6px solid #06b6d4;\n      padding:18px; border-radius:12px;\n      box-shadow:0 6px 14px rgba(0,0,0,.06);\n      transition:transform .12s ease, box-shadow .12s ease;\n      border:1px solid #e5e7eb;\n    }\n    .wp-trivy-pb .card:hover{ transform: translateY(-3px); box-shadow:0 10px 22px rgba(0,0,0,.08); }\n    .wp-trivy-pb .card h3{ margin:0 0 10px; font-size:1.12rem; color:#0f172a; }\n    .wp-trivy-pb .card p{ margin:0; font-size:.96rem; color:#334155; line-height:1.62; }<\/p>\n<p>    \/* Color helpers *\/\n    .bg-blue { border-left-color:#0ea5e9 !important; background:#eef6ff !important; }\n    .bg-green{ border-left-color:#10b981 !important; background:#f0fdf4 !important; }\n    .bg-amber{ border-left-color:#f59e0b !important; background:#fffbeb !important; }\n    .bg-violet{ border-left-color:#8b5cf6 !important; background:#f5f3ff !important; }\n    .bg-rose{ border-left-color:#ef4444 !important; background:#fff1f2 !important; }\n    .bg-cyan{ border-left-color:#06b6d4 !important; background:#ecfeff !important; }\n    .bg-lime{ border-left-color:#22c55e !important; background:#ecfdf5 !important; }\n    .bg-orange{ border-left-color:#f97316 !important; background:#fff7ed !important; }\n    .bg-indigo{ border-left-color:#6366f1 !important; background:#eef2ff !important; }\n    .bg-emerald{ border-left-color:#059669 !important; background:#ecfdf5 !important; }\n    .bg-slate{ border-left-color:#334155 !important; background:#f8fafc !important; }<\/p>\n<p>    \/* Utilities & code *\/\n    .tight ul{ margin:0; padding-left:18px; }\n    .tight li{ margin:4px 0; }\n    .mono{ font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; }\n    .wp-trivy-pb code{ background:#f1f5f9; padding:0 4px; border-radius:4px; border:1px solid #e2e8f0; }\n    .wp-trivy-pb pre{\n      background:#f5f5f5; color:#111827; border:1px solid #e5e7eb;\n      padding:12px; border-radius:8px; overflow:auto; font-size:.92rem; line-height:1.55;\n    }\n    .q{font-weight:700;}\n    .qa p{ margin:8px 0; }\n  <\/style>\n<div class=\"wp-trivy-pb\">\n<div class=\"heading\">\n<h2>Trivy Pocket Book \u2014 Uplatz<\/h2>\n<p>50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included<\/p>\n<\/p><\/div>\n<div class=\"grid\">\n      <!-- ===================== SECTION 1: FOUNDATIONS (1\u201310) ===================== --><\/p>\n<div class=\"section-title\">Section 1 \u2014 Foundations<\/div>\n<div class=\"card bg-amber\">\n<h3>1) What is Trivy?<\/h3>\n<p>Trivy is an all-in-one open-source security scanner by Aqua Security for vulnerabilities, misconfigurations, secrets, and SBOMs across filesystems, containers, Kubernetes, cloud, and IaC.<\/p>\n<pre><code class=\"mono\">Targets: filesystems \u2022 images \u2022 repos \u2022 k8s \u2022 IaC \u2022 SBOM \u2022 AWS \u2022 rootfs<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-blue\">\n<h3>2) Installation<\/h3>\n<p>Available via Homebrew, apt\/yum, script installer, Docker image, and GitHub releases. Bundles its own DB cache by default.<\/p>\n<pre><code class=\"mono\">brew install aquasecurity\/trivy\/trivy\r\n# or\r\ndocker run --rm -v $PWD:\/work aquasec\/trivy:latest --version<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>3) Scanners<\/h3>\n<p>Enable\/disable scanners: <code>vuln<\/code>, <code>config<\/code>, <code>secret<\/code>, <code>license<\/code>, <code>misconfig<\/code>, <code>rbac<\/code> (via k8s), <code>sbom<\/code>.<\/p>\n<pre><code class=\"mono\">trivy image --scanners vuln,secret,config repo\/app:1.2.3<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>4) Vulnerability DBs<\/h3>\n<p>Uses multiple sources (e.g., distro advisories, GitHub) and updates the cache automatically; can run offline with pre-fetched DB.<\/p>\n<pre><code class=\"mono\">trivy image --download-db-only\r\ntrivy image --offline-scan app:tag<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>5) Output Formats<\/h3>\n<p>Text, table, JSON, SARIF, SPDX\/CycloneDX SBOM; custom templates via Go templates.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --format sarif --output report.sarif<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>6) Severity &#038; Policies<\/h3>\n<p>Filter by severity; fail builds with exit codes; ignore unfixed vulns or set policy thresholds.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>7) Caching &#038; Performance<\/h3>\n<p>Warm caches, mount Docker socket for direct image access, and prune layers to speed recurring scans.<\/p>\n<pre><code class=\"mono\">TRIVY_CACHE_DIR=.trivycache trivy fs .<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>8) Basic Commands<\/h3>\n<p>Scan filesystems, images, repos, and Kubernetes clusters quickly with sensible defaults.<\/p>\n<pre><code class=\"mono\">trivy fs .\r\ntrivy image repo\/app:latest\r\ntrivy repo https:\/\/github.com\/org\/project<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>9) Ignore File<\/h3>\n<p>Suppress specific issues temporarily via <code>.trivyignore<\/code> (with IDs or regex); always include reasons in PRs.<\/p>\n<pre><code class=\"mono\"># .trivyignore\r\nCVE-2024-12345\r\nCWE-798 # hardcoded creds pattern (investigating)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>10) Q&amp;A \u2014 \u201cWhy Trivy?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> One tool covers vuln scanning, IaC misconfig, secrets detection, and SBOMs with minimal setup and fast defaults.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 2: VULNS, IMAGES, SBOM (11\u201320) ===================== --><\/p>\n<div class=\"section-title\">Section 2 \u2014 Vulnerabilities, Images &#038; SBOM<\/div>\n<div class=\"card bg-blue\">\n<h3>11) Image Vulnerability Scan<\/h3>\n<p>Scans OS packages and language deps; supports local daemon or remote registry images.<\/p>\n<pre><code class=\"mono\">trivy image --vuln-type os,library repo\/app:1.0.0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>12) Base Image Suggestions<\/h3>\n<p>Trivy can suggest alternative base images with fewer CVEs (if metadata available); consider vendor-slim images.<\/p>\n<pre><code class=\"mono\">trivy image --format json repo\/app:1.0.0 | jq '.Results[].SuggestedFix'<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>13) SBOM Generation<\/h3>\n<p>Create SBOMs to track dependencies; feed into signing\/attestations or vulnerability management.<\/p>\n<pre><code class=\"mono\">trivy sbom --format cyclonedx --output sbom.json repo\/app:1.0.0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>14) From SBOM to Scan<\/h3>\n<p>Scan prebuilt SBOMs (offline or CI) to detect newly disclosed vulns without pulling the image again.<\/p>\n<pre><code class=\"mono\">trivy sbom scan --format table sbom.json<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>15) RootFS Scanning<\/h3>\n<p>Scan mounted root filesystems\/VMs to inventory packages and detect CVEs.<\/p>\n<pre><code class=\"mono\">sudo trivy rootfs \/mnt\/disk<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>16) Registry Auth<\/h3>\n<p>Use env vars or Docker auth helpers to access private registries; avoid printing tokens in logs.<\/p>\n<pre><code class=\"mono\">export TRIVY_USERNAME=ciuser TRIVY_PASSWORD=$REG_PASS\r\ntrivy image private.registry\/app:tag<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>17) Ignore Unfixed vs Fixed Only<\/h3>\n<p><code>--ignore-unfixed<\/code> hides issues with no upstream fix; <code>--ignore-policy<\/code> enforces custom logic via Rego.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --ignore-unfixed\r\ntrivy image app:tag --ignore-policy policy.rego<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>18) Templated Reports<\/h3>\n<p>Render custom HTML\/Markdown\/CSV with Go templates; attach artifacts to CI for review.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --format template --template @tpl\/summarize.tpl --output out.html<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>19) Exit Codes &#038; Gates<\/h3>\n<p>Use exit codes to block builds on high\/critical; thresholds keep pipelines developer-friendly.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --severity HIGH,CRITICAL --exit-code 1 || echo \"review required\"<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>20) Q&amp;A \u2014 \u201cAlpine fixes everything?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Alpine often reduces CVEs but musl vs glibc differences can break apps; vendor-supported slim images can be safer.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 3: IAC, K8S, SECRETS (21\u201330) ===================== --><\/p>\n<div class=\"section-title\">Section 3 \u2014 IaC, Kubernetes &#038; Secret Detection<\/div>\n<div class=\"card bg-blue\">\n<h3>21) IaC Misconfig Scans<\/h3>\n<p>Scan Terraform, CloudFormation, ARM\/Bicep, Kubernetes YAML, Helm charts.<\/p>\n<pre><code class=\"mono\">trivy config iac\/ --severity HIGH,CRITICAL<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>22) Kubernetes Cluster Scan<\/h3>\n<p>Scan live cluster for workload misconfigs and vulns in running images (needs kubeconfig).<\/p>\n<pre><code class=\"mono\">trivy k8s cluster\r\ntrivy k8s --report summary all<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>23) RBAC &#038; Pod Security<\/h3>\n<p>Detect risky permissions, privileged pods, hostPath, and missing resource limits.<\/p>\n<pre><code class=\"mono\">trivy k8s --namespace prod --severity HIGH,CRITICAL<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>24) Helm &#038; Kustomize<\/h3>\n<p>Scan rendered charts; integrate checks into deployment pipelines before applying manifests.<\/p>\n<pre><code class=\"mono\">helm template charts\/web | trivy config -<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>25) Secrets Scanner<\/h3>\n<p>Detect hardcoded credentials\/API keys in git repos and filesystems; add allowlist patterns if needed.<\/p>\n<pre><code class=\"mono\">trivy repo https:\/\/github.com\/org\/repo --scanners secret<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>26) Policy as Code (OPA\/Rego)<\/h3>\n<p>Write custom policies to enforce org rules (e.g., deny 0.0.0.0\/0 SGs); run with <code>--policy<\/code>.<\/p>\n<pre><code class=\"mono\">trivy config iac\/ --policy policies\/ --policy-namespace user<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>27) Baselines &#038; Drift<\/h3>\n<p>Save baseline JSON and compare future scans to detect newly introduced risks only.<\/p>\n<pre><code class=\"mono\">trivy fs . --format json --output base.json<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>28) Kubernetes Admission<\/h3>\n<p>Combine with admission controllers to block risky configs pre-deploy (e.g., Kyverno\/Gatekeeper + Trivy results).<\/p>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>29) Shift-Left<\/h3>\n<p>Run Trivy in pre-commit hooks, IDE tasks, and PR checks; fix issues before merge.<\/p>\n<pre><code class=\"mono\"># pre-commit config\r\n- repo: local\r\n  hooks:\r\n  - id: trivy-fs\r\n    name: trivy fs\r\n    entry: trivy fs .\r\n    language: system<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>30) Q&amp;A \u2014 \u201cIaC vs runtime?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Catch misconfig in code first; use live cluster scans to verify and detect drift\/overrides.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 4: CI\/CD, SIGNING, CLOUD (31\u201340) ===================== --><\/p>\n<div class=\"section-title\">Section 4 \u2014 CI\/CD Integration, Signing &#038; Cloud<\/div>\n<div class=\"card bg-blue\">\n<h3>31) GitHub Actions<\/h3>\n<p>Run Trivy on push\/PR; upload SARIF to code scanning; fail on high\/critical.<\/p>\n<pre><code class=\"mono\">- uses: aquasecurity\/trivy-action@master\r\n  with:\r\n    scan-type: 'image'\r\n    image-ref: 'ghcr.io\/org\/app:${{ github.sha }}'\r\n    format: 'sarif'\r\n    output: 'trivy.sarif'\r\n    severity: 'HIGH,CRITICAL'<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>32) Jenkins Pipeline<\/h3>\n<p>Use CLI step; archive JSON and HTML; gate on severity.<\/p>\n<pre><code class=\"mono\">sh 'trivy image app:tag --format json --output trivy.json --severity HIGH,CRITICAL --exit-code 1'<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>33) GitLab CI<\/h3>\n<p>Inline job templates; artifacts for MR review; optional allow-failure for non-blocking stages.<\/p>\n<pre><code class=\"mono\">trivy:\r\n  script: trivy image $IMAGE --format json --output trivy.json --exit-code 1\r\n  artifacts: { paths: [trivy.json] }<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>34) Bitbucket \/ Azure DevOps<\/h3>\n<p>Run in steps with container images; publish results to build summaries and PR comments.<\/p>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>35) Signing &#038; Attestations<\/h3>\n<p>Pair Trivy with Cosign\/SLSA: generate SBOM \u2192 sign image and attest SBOM\/scan results.<\/p>\n<pre><code class=\"mono\">trivy sbom --format spdx-json -o sbom.spdx.json repo\/app:tag\r\ncosign attest --predicate sbom.spdx.json --type spdxjson repo\/app:tag<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>36) Policy Gates<\/h3>\n<p>Rego policies in CI to block deploys if severity threshold exceeded or controls violated.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --format json | conftest test -p policies -<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>37) Cloud Scans (AWS)<\/h3>\n<p>Scan AWS account resources (experimental modes evolve). Prefer IaC-first plus least-privilege cloud roles.<\/p>\n<pre><code class=\"mono\">trivy aws --service s3<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>38) Offline CI<\/h3>\n<p>Mirror DB in a private cache; point builds to it for air-gapped environments.<\/p>\n<pre><code class=\"mono\">trivy image --download-db-only --cache-dir .trivycache<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>39) Performance &#038; Cost<\/h3>\n<p>Use shallow fetch for repos, cache Docker layers, skip low severity in PRs, run full scans nightly.<\/p>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>40) Q&amp;A \u2014 \u201cBlock everything red?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Block on HIGH\/CRITICAL and reachable or fixable issues; warn on others to keep velocity.<\/p>\n<\/p><\/div>\n<p>      <!-- ===================== SECTION 5: RECIPES & INTERVIEW (41\u201350) ===================== --><\/p>\n<div class=\"section-title\">Section 5 \u2014 Practical Recipes &#038; Interview Q&amp;A<\/div>\n<div class=\"card bg-blue\">\n<h3>41) Recipe: Dockerfile Hardening<\/h3>\n<p>Use multi-stage builds, drop root, pin versions, clean package caches, and copy only required artifacts.<\/p>\n<pre><code class=\"mono\">FROM node:20-alpine AS build\r\nWORKDIR \/app\r\nCOPY package*.json .\/\r\nRUN npm ci\r\nCOPY . .\r\nRUN npm run build\r\n\r\nFROM node:20-alpine\r\nUSER 10001\r\nWORKDIR \/app\r\nCOPY --from=build \/app\/dist .\/dist\r\nCMD [\"node\",\"dist\/server.js\"]<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>42) Recipe: K8s Admission Precheck<\/h3>\n<p>Render Helm \u2192 Trivy config scan \u2192 only apply if pass; wire into CD pipeline.<\/p>\n<pre><code class=\"mono\">helm template charts\/web | trivy config - --exit-code 1 || exit 1\r\nkubectl apply -f k8s\/<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>43) Recipe: Monorepo Paths<\/h3>\n<p>Scan only changed dirs in PRs to speed feedback loops.<\/p>\n<pre><code class=\"mono\">CHANGED=$(git diff --name-only origin\/main... | cut -d\/ -f1 | sort -u)\r\nfor d in $CHANGED; do trivy fs \"$d\"; done<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>44) Recipe: HTML Report<\/h3>\n<p>Generate a friendly HTML summary for managers\/auditors.<\/p>\n<pre><code class=\"mono\">trivy image app:tag --format template --template @tpl\/summary-html.tpl -o trivy.html<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>45) Common Pitfalls<\/h3>\n<p>Scanning only at release, ignoring lockfiles, permanent ignores, not enabling monitor\/scheduled scans, scanning images never deployed.<\/p>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>46) Developer UX Tips<\/h3>\n<p>IDE helpers, pre-commit hooks, PR comments with minimal actionable fixes, and auto-created issues for owners.<\/p>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>47) Secrets Hygiene<\/h3>\n<p>Use secret managers, forbid committing .env with tokens, and add allowlists only for false positives with expiry.<\/p>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>48) Compliance Mapping<\/h3>\n<p>Map misconfig checks to CIS\/NIST; export SBOM + scan reports for audit evidence; track MTTR and remediation SLAs.<\/p>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>49) 30-Day Rollout<\/h3>\n<p>Week1: IDE + fs scans \u2022 Week2: image\/PR gates (high+) \u2022 Week3: IaC + k8s \u2022 Week4: SBOM\/signing + dashboards.<\/p>\n<\/p><\/div>\n<div class=\"card bg-emerald qa\">\n<h3>50) Interview Q&amp;A \u2014 20 Practical Questions (Expanded)<\/h3>\n<p><b>1) What does Trivy scan?<\/b> Filesystems, container images, SBOMs, git repos, Kubernetes, IaC, AWS\/rootfs, secrets.<\/p>\n<p><b>2) Difference: fs vs image?<\/b> <i>fs<\/i> scans local directories; <i>image<\/i> inspects layers and OS\/library deps inside images.<\/p>\n<p><b>3) How to fail CI?<\/b> Use <code>--severity<\/code> + <code>--exit-code<\/code>; often HIGH\/CRITICAL in PRs, full in nightly.<\/p>\n<p><b>4) Why lockfiles matter?<\/b> They pin versions so SCA is accurate for transitives; scanning only package.json can miss reality.<\/p>\n<p><b>5) What is <code>--ignore-unfixed<\/code>?<\/b> Hides issues with no known fix to reduce noise; track them in reports.<\/p>\n<p><b>6) Custom policy usage?<\/b> Rego with <code>--policy<\/code> to encode org rules (e.g., deny privileged pods).<\/p>\n<p><b>7) Reachability?<\/b> Trivy focuses on presence\/versions; reachability is approximated via IaC\/K8s context; combine with runtime data for prioritization.<\/p>\n<p><b>8) SBOM formats?<\/b> SPDX, CycloneDX (JSON), used for compliance and later vulnerability correlation.<\/p>\n<p><b>9) Reduce false positives?<\/b> Pin versions, scan lockfiles, use <code>.trivyignore<\/code> with expiry, and templates highlighting fixable items.<\/p>\n<p><b>10) Alpine vs Debian Slim?<\/b> Alpine smaller but musl; Debian\/Ubuntu slim often more compatible; choose based on app libs.<\/p>\n<p><b>11) Private registry auth?<\/b> Env vars or Docker login; set CI secrets; never echo tokens.<\/p>\n<p><b>12) Offline scanning?<\/b> Pre-download DB and set <code>--offline-scan<\/code>; mirror cache in artifact store.<\/p>\n<p><b>13) K8s scan depth?<\/b> Resources + image refs; combine with <code>trivy image<\/code> on those refs for CVEs.<\/p>\n<p><b>14) IaC vs config?<\/b> <code>trivy config<\/code> evaluates IaC templates before deploy; catch risky settings pre-merge.<\/p>\n<p><b>15) Attestations?<\/b> Sign images and attach SBOM\/scan attestations (Cosign) so runtime policy can enforce \u201conly scanned &#038; signed.\u201d<\/p>\n<p><b>16) Speeding scans?<\/b> Cache DB, reuse layers, scan only changed paths, skip low severities on PRs.<\/p>\n<p><b>17) Governance?<\/b> Severity gates, policy packs, ignore expiries, dashboards for MTTR and aging.<\/p>\n<p><b>18) Typical pipeline order?<\/b> Build \u2192 unit test \u2192 <i>trivy fs<\/i> \u2192 image build \u2192 <i>trivy image<\/i> \u2192 <i>trivy sbom<\/i> \u2192 sign\/attest \u2192 deploy (if pass).<\/p>\n<p><b>19) Secrets detection limits?<\/b> Pattern\/entropy-based; add allowlists, avoid real secrets in tests; rotate on hits.<\/p>\n<p><b>20) Biggest gotcha?<\/b> Scanning artifacts not used in prod; prioritize runtime-referenced images and namespaces.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Trivy Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Trivy? Trivy is an <span class=\"readmore\"><a href=\"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/\">Read More &#8230;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2462,2485],"tags":[],"class_list":["post-4507","post","type-post","status-publish","format-standard","hentry","category-pocket-book","category-trivy"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Trivy Pocket Book | Uplatz Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Trivy Pocket Book | Uplatz Blog\" \/>\n<meta property=\"og:description\" content=\"Trivy Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Trivy? Trivy is an Read More ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/\" \/>\n<meta property=\"og:site_name\" content=\"Uplatz Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-10T01:03:03+00:00\" \/>\n<meta name=\"author\" content=\"uplatzblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:site\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"uplatzblog\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/\"},\"author\":{\"name\":\"uplatzblog\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\"},\"headline\":\"Trivy Pocket Book\",\"datePublished\":\"2025-08-10T01:03:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/\"},\"wordCount\":1174,\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"articleSection\":[\"Pocket Book\",\"Trivy\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/\",\"name\":\"Trivy Pocket Book | Uplatz Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\"},\"datePublished\":\"2025-08-10T01:03:03+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/trivy-pocket-book\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trivy Pocket Book\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"name\":\"Uplatz Blog\",\"description\":\"Uplatz is a global IT Training &amp; Consulting company\",\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\",\"name\":\"uplatz.com\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"width\":1280,\"height\":800,\"caption\":\"uplatz.com\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Uplatz-1077816825610769\\\/\",\"https:\\\/\\\/x.com\\\/uplatz_global\",\"https:\\\/\\\/www.instagram.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\",\"name\":\"uplatzblog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"caption\":\"uplatzblog\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Trivy Pocket Book | Uplatz Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/","og_locale":"en_US","og_type":"article","og_title":"Trivy Pocket Book | Uplatz Blog","og_description":"Trivy Pocket Book \u2014 Uplatz 50 in-depth cards \u2022 Wide layout \u2022 Readable examples \u2022 20-question interview Q&amp;A included Section 1 \u2014 Foundations 1) What is Trivy? Trivy is an Read More ...","og_url":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/","og_site_name":"Uplatz Blog","article_publisher":"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","article_published_time":"2025-08-10T01:03:03+00:00","author":"uplatzblog","twitter_card":"summary_large_image","twitter_creator":"@uplatz_global","twitter_site":"@uplatz_global","twitter_misc":{"Written by":"uplatzblog"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/#article","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/"},"author":{"name":"uplatzblog","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e"},"headline":"Trivy Pocket Book","datePublished":"2025-08-10T01:03:03+00:00","mainEntityOfPage":{"@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/"},"wordCount":1174,"publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"articleSection":["Pocket Book","Trivy"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/","url":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/","name":"Trivy Pocket Book | Uplatz Blog","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/#website"},"datePublished":"2025-08-10T01:03:03+00:00","breadcrumb":{"@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/uplatz.com\/blog\/trivy-pocket-book\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/uplatz.com\/blog\/trivy-pocket-book\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/uplatz.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Trivy Pocket Book"}]},{"@type":"WebSite","@id":"https:\/\/uplatz.com\/blog\/#website","url":"https:\/\/uplatz.com\/blog\/","name":"Uplatz Blog","description":"Uplatz is a global IT Training &amp; Consulting company","publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/uplatz.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/uplatz.com\/blog\/#organization","name":"uplatz.com","url":"https:\/\/uplatz.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","width":1280,"height":800,"caption":"uplatz.com"},"image":{"@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","https:\/\/x.com\/uplatz_global","https:\/\/www.instagram.com\/","https:\/\/www.linkedin.com\/company\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz"]},{"@type":"Person","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e","name":"uplatzblog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","caption":"uplatzblog"}}]}},"_links":{"self":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/comments?post=4507"}],"version-history":[{"count":1,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4507\/revisions"}],"predecessor-version":[{"id":4508,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4507\/revisions\/4508"}],"wp:attachment":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media?parent=4507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/categories?post=4507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/tags?post=4507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}