Installing Trivy on Ubuntu - Container Security Scanner

Installing Trivy on Ubuntu

Find vulnerabilities in your containers before they find you

📅 October 21, 2025 | ⏱️ 3 min read | 🏷️ Trivy, Security, DevOps

Trivy is a vulnerability scanner that checks your container images, filesystems, and Git repos for security issues. It catches CVEs, misconfigurations, secrets - basically anything that could bite you later.

It's fast, accurate, and easy to integrate into your CI/CD pipeline. Let's get it installed.

What You Need

  • Ubuntu (any recent version)
  • Sudo access
  • Internet connection

The Installation

Step 1: Install Dependencies

Get the tools needed for adding repositories:

sudo apt-get install wget apt-transport-https gnupg lsb-release -y

Step 2: Add Trivy GPG Key

Download and add the signing key:

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -

This ensures the packages you download are legit.

Step 3: Add Trivy Repository

Add the repository to your sources:

echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list

The lsb_release -sc automatically detects your Ubuntu version.

Step 4: Update Package List

Refresh to include the Trivy repository:

sudo apt-get update -y

Step 5: Install Trivy

Now install it:

sudo apt-get install trivy -y

Verify Installation

Check that Trivy is installed:

trivy --version

You should see the version number. That means it's ready.

All Commands Together

Here's the complete installation:

sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update -y sudo apt-get install trivy -y

Test It Out

Scan a container image to see if it works:

trivy image ubuntu:latest

Trivy will download the image, scan it, and show you any vulnerabilities. The first scan takes a bit longer because it downloads the vulnerability database. After that, scans are fast.

First run: Trivy will download its vulnerability database on the first scan. This is normal and only happens once. Give it a minute.

Common Use Cases

Here are some useful commands:

# Scan a local image trivy image myapp:latest # Scan a filesystem or directory trivy fs /path/to/project # Scan only high and critical vulnerabilities trivy image --severity HIGH,CRITICAL nginx:latest # Output as JSON trivy image --format json --output result.json alpine:latest # Scan a Git repository trivy repo https://github.com/your-org/your-repo

Update Vulnerability Database

Trivy updates its database automatically, but you can force an update:

trivy image --download-db-only

Use in CI/CD

Trivy works great in pipelines. Add it to your Jenkinsfile, GitHub Actions, or GitLab CI:

# Fail the build if critical vulnerabilities are found trivy image --exit-code 1 --severity CRITICAL myapp:latest

The --exit-code 1 flag makes Trivy return a non-zero exit code if it finds issues, which fails the build.

Pro tip: Integrate Trivy early in your pipeline - scan during build, not after deployment. Catch vulnerabilities before they reach production.

Ignore Specific Vulnerabilities

Sometimes you need to ignore certain CVEs. Create a .trivyignore file:

# Ignore this CVE CVE-2023-12345 # Ignore with expiration date CVE-2023-67890 exp:2025-12-31

Important: Only ignore vulnerabilities after you've assessed the risk. Document why you're ignoring them. Don't just silence security issues.

That's It

Trivy is installed and ready to scan. Now you can catch vulnerabilities before they become problems. Run it locally during development, in your CI/CD pipeline, and anywhere else you need to check for security issues.

Happy scanning! 🔒

Written by someone who learned about CVEs the hard way | 2025

Comments

Post a Comment

Popular posts from this blog

Complete Guide: Koha Library Management System Setup Step-by-step installation and configuration tutorial 📅 Published: October 20, 2025 ⏱️ Reading Time: 8 minutes 🏷️ Category: System Setup Introduction: This comprehensive guide will walk you through the complete setup process for Koha Library Management System with the InOut module. Follow each step carefully to ensure a successful installation. Prerequisites Ubuntu/Debian-based Linux system Root or sudo access Existing Koha installation MySQL/MariaDB database server Basic command-line knowledge Installation Steps 1 Switch to Root User ...
Read more
How to Connect WSL Linux to VS Code Terminal Easy step-by-step guide to integrate Windows Subsystem for Linux with Visual Studio Code 📅 Published: October 20, 2025 ⏱️ Reading Time: 3 minutes 🏷️ Category: Development Tools Introduction: Connecting Windows Subsystem for Linux (WSL) to Visual Studio Code allows you to develop in a Linux environment directly from Windows. This guide will show you two simple methods to establish this connection. What You'll Need Windows 10/11 with WSL installed Visual Studio Code installed Internet connection (for extension download) Method 1: Connect via VS Code Interface 1 Install t...
Read more
How to Validate Bulk Emails for Free Using ReacherHQ (Self-Hosted Solution) If you're sending bulk emails to clients or running cold email campaigns, you've likely faced the dreaded issue of bounced emails . High bounce rates damage your sender reputation, waste resources, and can get your domain blacklisted. While commercial email verification services like ZeroBounce and Emailable claim 99% accuracy, their pricing can quickly become prohibitive, especially for startups and small businesses. Enter ReacherHQ – a completely free, open-source, self-hosted email verification solution written in Rust that you can run on your own VPS, VPC, or even locally on your development machine. Why Self-Hosted Email Verification? Traditional email verification APIs charge per verification – costs that add up quickly when you're validating thousands or millions of email addresses. ReacherHQ eliminates these costs entirely by allowing you to host the verification ser...
Read more