Aqua Security’s open source Trivy vulnerability scanner is now available as an Aqua Security Trivy GitHub Action. The action integrates with GitHub code scanning so developers can build container image scanning into their GitHub Actions workflow to find and eliminate vulnerabilities before they reach production.

GitHub code scanning integrates with GitHub Actions or users’ existing CI/CD environments and scans code as it’s created. It thus helps in surfacing actionable security reviews within pull requests and other GitHub experiences.

The Aqua Security Trivy Action integration finds vulnerabilities (CVEs) in the OS package dependencies and language libraries built into a container image.

The Trivy Action alerts developers to known CVEs via the GitHub user interface to quickly and easily update these dependencies and eliminate the risk.

It generates output in a format called SARIF that GitHub supports for ingesting security information. The output from an image scan appears right in the GitHub code scanning UI, specifically under a project repository’s Security tab.

The Aqua Security Trivy Action is now available on the GitHub Marketplace.