Application Development Azure

Trivy on Ubuntu 24.04 on Azure User Guide

| Product: Trivy on Ubuntu 24.04 LTS on Azure

Overview

Trivy is the most popular open-source security scanner. From a single CLI it finds vulnerabilities in OS packages and language dependencies, misconfigurations in infrastructure-as-code (Terraform, Kubernetes, Dockerfile, CloudFormation, Helm), exposed secrets and software licences, and it generates SBOMs - across container images, filesystems, running systems, git repositories and cloud accounts. The cloudimg image installs Trivy 0.71.2 as the /usr/bin/trivy command, pre-downloads the vulnerability database into a shared system cache so your first scan is fast, and exports the cache for every login shell. Backed by 24/7 cloudimg support.

What is included:

  • Trivy 0.71.2 (the /usr/bin/trivy CLI) from the official Aqua Security release
  • The vulnerability database pre-downloaded into a shared cache at /var/lib/trivy
  • TRIVY_CACHE_DIR exported for every login shell (via /etc/profile.d/trivy.sh)
  • Container-image scanning with no Docker daemon required
  • Vulnerability, misconfiguration (IaC), secret, licence and SBOM scanning
  • 24/7 cloudimg support

This is a command-line product: no web UI, no listening service, no open ports beyond SSH.

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network. No inbound application ports are needed.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Trivy by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22). Then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name trivy \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm Trivy is installed

trivy --version

It reports Version: 0.71.2 along with the bundled vulnerability-DB metadata.

Step 5 - Confirm the vulnerability database is pre-cached

The database is downloaded at build time into a shared cache, so your first scan is instant:

ls -lh /var/lib/trivy/db/trivy.db

TRIVY_CACHE_DIR=/var/lib/trivy is exported for every login shell, so trivy uses this shared cache automatically.

Step 6 - Scan this server's filesystem

Run a real vulnerability scan of the running system's OS packages:

TRIVY_CACHE_DIR=/var/lib/trivy trivy rootfs --scanners vuln --severity HIGH,CRITICAL --skip-db-update --no-progress / 2>/dev/null | tail -25

Trivy prints a report summary and a table of any HIGH/CRITICAL vulnerabilities with their fixed versions.

Trivy filesystem scan

Step 7 - Scan a container image (no Docker needed)

Trivy pulls and scans an image directly from any registry - no Docker daemon required:

trivy image --severity HIGH,CRITICAL python:3.9

Trivy image scan

Step 8 - Scan infrastructure-as-code for misconfigurations

Point Trivy at a directory of Terraform, Kubernetes manifests, Dockerfiles or CloudFormation to find misconfigurations:

trivy config /path/to/your/iac

Trivy IaC scan

Step 9 - More scanners

Trivy is an all-in-one scanner. A few more common commands:

# Detect exposed secrets in a directory or repo
trivy fs --scanners secret /path/to/code

# Scan a git repository
trivy repo https://github.com/your-org/your-repo

# Generate a CycloneDX SBOM for an image
trivy image --format cyclonedx --output sbom.json python:3.9

# Fail a CI build when CRITICAL issues are found
trivy image --exit-code 1 --severity CRITICAL myimage:latest

Trivy scanners

Updating the database

Trivy refreshes the vulnerability database automatically when it ages out (it is fetched from ghcr.io). To update it on demand:

trivy image --download-db-only

The shared cache at /var/lib/trivy is world-writable (sticky bit) so any user can refresh it.

Maintenance

  • Database: kept current automatically; force a refresh with trivy image --download-db-only.
  • Upgrades: download a newer Trivy .deb from the Aqua Security releases and sudo apt-get install ./trivy_<version>_Linux-64bit.deb.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
  • CI/CD: install Trivy into your pipeline images or run scans on this VM as a remote scanning host.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.