Skip to content

Vulnerability Scanner (Trivy)

The registry includes Trivy, a scanner that analyzes your images for known vulnerabilities (CVE) in system packages and application dependencies.

What is it for?

An image, even an official one, may include libraries with security flaws. The scan allows you to identify these flaws, determine their severity, and check if a patch exists.

Run a manual scan

You must be at least a Maintainer of the project.

  1. Open your project > Repositories tab, then select a repository
  2. Check the artifacts (tags) to analyze
  3. Click SCAN

Trivy scan launch

The scan runs in the background; the status progresses from Queued to Done.

Automatic scan on push

The project can be configured to automatically scan each image as soon as it is pushed.

  1. Open your project > Configuration tab
  2. Check Automatically scan images on push
  3. Save

Push scan configuration

Reading the results

The Vulnerabilities column displays a color-coded summary by severity level:

Color Meaning
Green No vulnerabilities detected
Blue Low severity vulnerabilities
Yellow Medium severity vulnerabilities
Orange High severity vulnerabilities
Red Critical severity vulnerabilities
Gray Unknown status (image not scanned)

The summary also indicates the total number of vulnerabilities and how many are fixable. You can hover over the icon to see the breakdown by severity level.

Vulnerability summary

Detailed report

Click on the artifact’s digest to open the full report. For each vulnerability, you will find:

  • the CVE identifier (with a link to its description),
  • the package concerned and its installed version,
  • the severity level,
  • the fixed version when a patch exists.

You can sort and filter the list by column, and rerun a scan directly from the report.

Vulnerability report

What to do with the results?

Reducing vulnerabilities in your images

  • Update your base image (docker pull the latest version, then rebuild).
  • Prefer minimal base images (alpine, -slim, distroless): fewer packages, smaller attack surface.
  • Update application dependencies flagged as fixable.
  • Regularly rebuild and repush your images to incorporate patches.

CVE database update

Trivy automatically updates its vulnerability database. A rescanned tag may later reveal new vulnerabilities discovered in the meantime.