If you plan to deploy a container to your Kubernetes cluster, it may be useful to know whether there are any known Cybersecurity Vulnerabilities and Exposures (CVEs) associated with that container image. Trivy is a useful and easy-to-use tool for scanning images before deploying them to your environment.
First, you can install Trivy to a host that has internet access. This can be the same machine where you normally would run "kubectl" commands from, or any other machine that will be able to pull container images. The documentation for installing Trivy is located here:
Once Trivy is installed, you can specify an image to scan with a command like the following:
trivy image alpine:3.16.2
Trivy will pull the image, scan it against its database of known vulnerabilities, and output a report of what it finds.
If you only care about certain severities, you can specify which severities to show in the report:
trivy image --severity=HIGH,CRITICAL alpine:3.16.2