Scanning Local Docker Images with Trivy

2 min read Security Testing & Tools

Scanning Local Docker Images with Trivy

Begin by scanning images in your local Docker environment. This approach allows you to test images before pushing them to registries:

# Build a sample Docker image
cat << EOF > Dockerfile
FROM node:14-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
EOF

# Build the image
docker build -t myapp:vulnerable .

# Scan with Trivy - basic scan
trivy image myapp:vulnerable

# Detailed scan with dependency tree
trivy image --dependency-tree myapp:vulnerable

# Scan specific layers
trivy image --layers myapp:vulnerable

# Output in different formats
trivy image --format json myapp:vulnerable > scan-results.json
trivy image --format table --severity CRITICAL,HIGH myapp:vulnerable

Interpreting Trivy's layer analysis output:

# Example layer-specific output
myapp:vulnerable (alpine 3.14.2)

Total: 45 (CRITICAL: 2, HIGH: 15, MEDIUM: 20, LOW: 8)

┌─────────────┬───────────────┬──────────┬───────────────────┬──────────────┬──────────────────────────────────────────┐
│   Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version│                  Title                   │
├─────────────┼───────────────┼──────────┼───────────────────┼──────────────┼──────────────────────────────────────────┤
│ libcrypto1.1│ CVE-2021-3711 │ CRITICAL │ 1.1.1k-r0        │ 1.1.1l-r0    │ openssl: SM2 Decryption Buffer Overflow │
│ libssl1.1   │ CVE-2021-3712 │ HIGH     │ 1.1.1k-r0        │ 1.1.1l-r0    │ openssl: Read buffer overflow in X509   │
└─────────────┴───────────────┴──────────┴───────────────────┴──────────────┴──────────────────────────────────────────┘

Layer 1 (node:14-alpine): 35 vulnerabilities
Layer 2 (npm install): 10 vulnerabilities