Security vulnerability scanning using Trivy for ecommerce project. Scans dependencies, container images, and IaC. Blocks CRITICAL and HIGH severity. Triggers on "trivy", "vulnerability scan", "security scan", "container scan", "cve", "dependency scan", "npm audit", "docker scan", "security check". PROACTIVE: MUST invoke before committing code with new dependencies.
| Scan Type | Command | When |
|---|---|---|
| Dependencies | trivy fs . | package.json changes |
| Container | trivy image <name> | Dockerfile changes |
| IaC | trivy config . | Terraform changes |
| Trigger |
|---|
| Action |
|---|
package.json changed | Scan filesystem |
package-lock.json changed | Scan filesystem |
Dockerfile modified | Scan config + image |
*.tf files changed | Scan IaC config |
| Before commit with deps | MANDATORY scan |
# Most common - scan Node.js dependencies
trivy fs \
--severity CRITICAL,HIGH \
--exit-code 1 \
--ignore-unfixed \
--format table \
.
# Build image first
docker build -t local-scan:latest .
# Scan the image
trivy image \
--severity CRITICAL,HIGH \
--exit-code 1 \
--ignore-unfixed \
local-scan:latest
# Scan Terraform files
trivy config \
--severity CRITICAL,HIGH \
--exit-code 1 \
infra/terraform/
| Severity | Action | Commit Allowed |
|---|---|---|
| CRITICAL | BLOCK - Fix immediately | NO |
| HIGH | BLOCK - Fix or upgrade | NO |
| MEDIUM | WARN - Plan remediation | YES |
| LOW | INFO - Document | YES |
# Check which version fixes the CVE
npm audit
# Upgrade specific package
npm install package@latest
# Or use npm audit fix
npm audit fix
# Show fixed versions in JSON
trivy fs --severity CRITICAL,HIGH --format json . | \
jq '.Results[].Vulnerabilities[] | {pkg: .PkgName, installed: .InstalledVersion, fixed: .FixedVersion}'
// package.json
{
"overrides": {
"vulnerable-package": "^X.Y.Z"
}
}
Create .trivyignore:
# CVE-2023-XXXXX: Not exploitable - we don't use affected feature
CVE-2023-XXXXX
WARNING: Every exclusion MUST have documented justification.
cd apps/backend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .
cd apps/frontend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .
# Build all images
docker-compose -f docker-compose.full.yml build
# Scan each
trivy image ecommerce-demo-backend:latest
trivy image ecommerce-demo-frontend:latest
trivy config --severity CRITICAL,HIGH infra/terraform/
The project has Trivy in CI (.github/workflows/backend-ci.yml):
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'apps/backend'
format: 'json'
output: 'security/reports/trivy-backend-${{ github.sha }}.json'
Reports saved to security/reports/ for Claude CVE analysis.
When Trivy finds vulnerabilities:
Get the report
trivy fs --format json --output report.json .
Ask Claude to analyze
Analyze report.json for contextual CVE prioritization.
For each CVE:
- Search codebase for usage of affected library
- Evaluate if attack vector is exposed
- Provide remediation priority
Follow remediation plan
Before committing with dependency changes:
brew install trivy)trivy fs --severity CRITICAL,HIGH --exit-code 1 ..trivyignore entries justified| Issue | Solution |
|---|---|
trivy: command not found | brew install trivy |
| Slow scan | Use --skip-update after first run |
| False positive | Add to .trivyignore with justification |
| Transitive dependency | Use overrides in package.json |
| Old DB | Run trivy --download-db-only |