Scans container images for vulnerabilities with Trivy running inside a sandboxed Docker container.
This action is forked from aquasecurity/trivy-action with security hardened by running Trivy inside a sandboxed Docker container. Credits to Aqua Security for the original action.
This action runs Trivy inside a Docker container with strict security settings to prevent container escape:
* --read-only filesystem — the container's root filesystem is read-only
* --cap-drop ALL — all Linux capabilities are dropped
* --security-opt no-new-privileges:true — prevents privilege escalation inside the container
* All scan targets are mounted read-only
* Only the output and cache directories are mounted writable
* A tmpfs is mounted at /tmp for Trivy's temporary files
* No direct Docker socket access — image scans use docker save to export a tar file which is mounted read-only into the container
flarecoder•1h ago
This action is forked from aquasecurity/trivy-action with security hardened by running Trivy inside a sandboxed Docker container. Credits to Aqua Security for the original action.
This action runs Trivy inside a Docker container with strict security settings to prevent container escape: * --read-only filesystem — the container's root filesystem is read-only * --cap-drop ALL — all Linux capabilities are dropped * --security-opt no-new-privileges:true — prevents privilege escalation inside the container * All scan targets are mounted read-only * Only the output and cache directories are mounted writable * A tmpfs is mounted at /tmp for Trivy's temporary files * No direct Docker socket access — image scans use docker save to export a tar file which is mounted read-only into the container
Contributions are welcome to improve this!