Trivy Rules
Comprehensive security scanner for containers, filesystems, and IaC. Find vulnerabilities, misconfigurations, and secrets.
3 rules
Base Image Selection Standards
Intermediate
Define approved base images for container builds — prefer minimal images (Alpine, Distroless), pin versions by digest, and require regular updates to reduce vulnerability surface.
globs: **/Dockerfile*, **/docker-compose*, **/.dockerignore
base-images, distroless, alpine, container-hardening
View Rule
Vulnerability Ignore Policy
Intermediate
Define strict standards for .trivyignore entries — every ignored CVE must have documented justification, a review date, and approval from a security-responsible team member.
globs: **/.trivyignore, **/trivy*
trivyignore, vulnerability-management, policy, compliance
View Rule
Scan Before Push Policy
Beginner
Mandate Trivy scanning of all container images before pushing to registries — no image enters production without passing vulnerability and misconfiguration checks.
globs: **/Dockerfile*, **/.trivyignore, **/.github/workflows/**, **/docker-compose*
scan-before-push, container-security, policy, ci-gate
View Rule