Trivy Reference: Container Scanning, K8s Cluster Audit, IaC Misconfigs & GitHub Actions CI

# Install:
brew install trivy                  # macOS
# Ubuntu/Debian:
apt-get install -y wget apt-transport-https gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/trivy.list
apt-get update && apt-get install trivy

# Scan targets:
trivy image nginx:latest            # container image (OS pkgs + app deps)
trivy fs ./                         # local filesystem (app dependencies)
trivy repo https://github.com/org/repo   # git repository
trivy k8s --report summary cluster  # live Kubernetes cluster
trivy config ./                     # IaC misconfigurations (Dockerfile, K8s YAML, Terraform)
trivy sbom mysbom.json              # scan an existing SBOM
trivy rootfs /path/to/rootfs        # filesystem root

# Quick scan examples:
trivy image python:3.12             # scan official image
trivy image --severity HIGH,CRITICAL nginx:latest  # only HIGH/CRITICAL
trivy fs --security-checks vuln,secret ./          # vulns + secrets in filesystem

# Scan from registry:
trivy image python:3.12-slim
trivy image --severity CRITICAL python:3.12-slim          # only show CRITICAL
trivy image --ignore-unfixed python:3.12-slim             # hide vulns with no fix

# Scan local image (built but not pushed):
docker build -t my-app:dev .
trivy image my-app:dev

# Scan saved tar archive (useful in CI without Docker daemon):
docker save my-app:dev -o my-app.tar
trivy image --input my-app.tar

# Filter by package type:
trivy image --vuln-type os python:3.12-slim               # OS packages only
trivy image --vuln-type library python:3.12-slim          # language deps only

# Output formats:
trivy image -f json -o results.json nginx:latest          # JSON for pipeline parsing
trivy image -f sarif -o results.sarif nginx:latest        # SARIF for GitHub Security tab
trivy image -f table nginx:latest                         # human-readable table (default)
trivy image -f cyclonedx -o sbom.json nginx:latest        # generate SBOM

# Exit codes for CI:
# 0 = no vulns found, 1 = vuln found
# Force non-zero exit on specific severity:
trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

# Scan project directory (detects lockfiles automatically):
trivy fs ./                         # auto-detects: package-lock.json, requirements.txt, go.sum, etc.
trivy fs --security-checks vuln,secret ./   # vulns + hardcoded secrets

# Language-specific lockfile scanning:
trivy fs --scanners vuln ./package-lock.json    # npm only
trivy fs ./requirements.txt                      # Python pip
trivy fs ./go.sum                               # Go modules
trivy fs ./Gemfile.lock                         # Ruby
trivy fs ./pom.xml                             # Maven
trivy fs ./Cargo.lock                          # Rust

# Secret scanning (find hardcoded API keys, tokens, passwords):
trivy fs --scanners secret ./
# Detects: AWS access keys, GitHub tokens, Stripe keys, generic high-entropy strings

# .trivyignore — suppress false positives:
# Create .trivyignore in project root:
# CVE-2023-12345  (suppress specific CVE)
# CVE-2023-67890  # with comment

# Scan with custom severity threshold:
trivy fs --exit-code 1 --severity HIGH,CRITICAL ./
echo $?  # non-zero if HIGH or CRITICAL found

# Scan entire cluster (uses current kubectl context):
trivy k8s --report summary cluster   # summary view
trivy k8s --report all cluster       # detailed per-resource view

# Scan specific namespace:
trivy k8s --report summary --namespace production cluster

# What it checks:
# - Container images for CVEs (pulls and scans each unique image)
# - K8s YAML misconfigurations (privileged containers, missing limits, hostPID, etc.)
# - Exposed secrets in K8s Secrets/ConfigMaps/env vars
# - RBAC issues (overly permissive roles, wildcard permissions)

# Scan a single resource type:
trivy k8s deployment/my-app -n production
trivy k8s pod/my-pod-xxx -n production

# Misconfig-only scan (faster — no CVE DB download):
trivy k8s --scanners misconfig --report summary cluster

# Export results as SARIF for GitHub Actions:
trivy k8s --report all --format sarif --output k8s-results.sarif cluster

# IaC misconfiguration scanning:
trivy config ./                         # scans all IaC in directory
trivy config ./Dockerfile               # Dockerfile best-practice checks
trivy config ./k8s-manifests/           # K8s YAML (privileged, hostNetwork, etc.)
trivy config ./terraform/               # Terraform misconfigs

# Example checks Trivy catches in Dockerfile:
# - USER not set (running as root)
# - ADD instead of COPY
# - apt-get upgrade in layer
# - HEALTHCHECK missing
# - --no-cache-dir missing for pip

# GitHub Actions (add to .github/workflows/security.yml):
# ─────────────────────────────────────────────────────
# - name: Run Trivy vulnerability scanner
#   uses: aquasecurity/trivy-action@master
#   with:
#     image-ref: 'my-app:${{ github.sha }}'
#     format: 'sarif'
#     output: 'trivy-results.sarif'
#     severity: 'HIGH,CRITICAL'
#     exit-code: '1'
#
# - name: Upload Trivy scan results to GitHub Security tab
#   uses: github/codeql-action/upload-sarif@v2
#   with:
#     sarif_file: 'trivy-results.sarif'

# Keep Trivy DB up to date (cache for CI):
trivy image --download-db-only         # pre-download DB in CI setup step
trivy image --skip-db-update nginx     # use cached DB in subsequent steps

# Trivy server mode (faster in CI — share DB across multiple scan jobs):
trivy server --listen 0.0.0.0:4954    # start server once
trivy image --server http://trivy:4954 nginx:latest   # client mode (no local DB needed)