RamNode logo
    Sign UpLogin
    Deployment Guides
    Security Scanner
    Open Source

    Deploy Trivy Security Scanner on a VPS

    Comprehensive security scanner for vulnerabilities, secrets, misconfigurations, and SBOMs — single binary, no external dependencies, built for VPS environments.

    At a Glance

    ProjectTrivy by Aqua Security
    LicenseApache 2.0
    Recommended PlanRamNode Cloud VPS 1 GB+ (2 GB for large image scans)
    OSUbuntu 22.04 or 24.04 LTS
    Pinned Versionv0.69.3 (see security advisory)
    Estimated Setup Time10–15 minutes

    Supply Chain Security Advisory

    In March 2026, Trivy experienced a supply chain compromise (CVE-2026-33634). Versions v0.69.4–v0.69.6 contained credential-stealing malware. The last known safe release is v0.69.3.

    • Always verify binary checksums after download
    • Pin to specific versions — never pull latest
    • Reference Docker images by digest (@sha256:...)

    Prerequisites

    • A RamNode VPS running Ubuntu 22.04 or 24.04 (1 GB RAM minimum; 2 GB recommended)
    • Root or sudo access
    • Docker or Podman (optional, for container image scanning)
    1

    Install Trivy

    Option A: APT Repository

    Install via APT
    sudo apt-get update
sudo apt-get install -y wget gnupg

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | \
  gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | \
  sudo tee -a /etc/apt/sources.list.d/trivy.list

sudo apt-get update
sudo apt-get install -y trivy
trivy --version

    Option B: Pinned Binary

    Install pinned v0.69.3
    wget https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.deb
sudo dpkg -i trivy_0.69.3_Linux-64bit.deb
trivy --version
    Initialize vulnerability database
    trivy image --download-db-only
    2

    Scanning Your VPS Filesystem

    Scan root filesystem
    sudo trivy rootfs /
    Filter by severity
    sudo trivy rootfs --severity CRITICAL,HIGH /
    JSON output for automation
    sudo trivy rootfs --format json --output /var/log/trivy-rootfs-scan.json /
    3

    Scanning Container Images

    Scan public and local images
    trivy image nginx:latest
trivy image my-app:v1.2.0
    Gate deployments on scan results
    #!/bin/bash
IMAGE="$1"
echo "Pulling $IMAGE..."
docker pull "$IMAGE"

echo "Scanning $IMAGE with Trivy..."
trivy image --exit-code 1 --severity CRITICAL "$IMAGE"

if [ $? -ne 0 ]; then
    echo "CRITICAL vulnerabilities found. Aborting deployment."
    exit 1
fi

echo "No critical vulnerabilities found. Proceeding."
docker run -d "$IMAGE"
    Ignore unfixed vulnerabilities
    trivy image --ignore-unfixed nginx:latest
    4

    Scanning Infrastructure as Code

    Scan a project directory
    trivy config /path/to/your/project

    Trivy detects misconfigurations in Dockerfiles, Terraform, Kubernetes manifests, and Helm charts — including containers running as root, exposed ports, and hardcoded secrets.

    5

    Secret Scanning

    Scan for leaked secrets
    trivy fs --scanners secret /path/to/your/project
    Scan a remote Git repo
    trivy repo https://github.com/your-org/your-repo
    6

    SBOM Generation

    Generate SBOM for an image
    trivy image --format cyclonedx --output sbom.json nginx:latest
    Generate SBOM for host filesystem
    sudo trivy rootfs --format cyclonedx --output host-sbom.json /
    7

    Automated Scans with Cron

    trivy-scan.sh
    #!/bin/bash
SCAN_DATE=$(date +%Y-%m-%d_%H%M)
LOG_DIR="/var/log/trivy"
mkdir -p "$LOG_DIR"

trivy image --download-db-only 2>/dev/null

trivy rootfs --severity CRITICAL,HIGH \
  --format json \
  --output "$LOG_DIR/rootfs-$SCAN_DATE.json" /

if command -v docker &> /dev/null; then
    for IMAGE in $(docker ps --format '{{.Image}}' | sort -u); do
        SAFE_NAME=$(echo "$IMAGE" | tr '/:' '_')
        trivy image --severity CRITICAL,HIGH \
          --format json \
          --output "$LOG_DIR/${SAFE_NAME}-${SCAN_DATE}.json" \
          "$IMAGE"
    done
fi

find "$LOG_DIR" -name "*.json" -mtime +30 -delete
    Schedule daily scan
    sudo chmod +x /usr/local/bin/trivy-scan.sh
echo "0 3 * * * root /usr/local/bin/trivy-scan.sh" | sudo tee /etc/cron.d/trivy-scan
    8

    Configuration File

    ~/.trivy.yaml
    severity:
  - CRITICAL
  - HIGH

scan:
  skip-files:
    - "**/*.test.js"
    - "**/node_modules/**"
  skip-dirs:
    - ".git"
    - "vendor"
    - "node_modules"

cache:
  dir: /var/cache/trivy

db:
  skip-update: false
    Use config file
    trivy --config /etc/trivy/trivy.yaml rootfs /
    9

    Performance Tuning

    Offline mode for bandwidth savings
    trivy image --download-db-only
trivy image --download-java-db-only
trivy image --skip-db-update --offline-scan your-image:tag
    Shared cache directory
    export TRIVY_CACHE_DIR=/var/cache/trivy
sudo mkdir -p /var/cache/trivy
    10

    Practical Examples

    Scan WordPress before launch
    trivy image --severity CRITICAL,HIGH --ignore-unfixed wordpress:6.4-php8.2-apache
    Audit Terraform config
    trivy config --severity CRITICAL,HIGH ./terraform/
    Scan Node.js dependencies
    trivy fs --scanners vuln /var/www/my-node-app
    Generate HTML security report
    trivy rootfs --format template \
  --template "@contrib/html.tpl" \
  --output /var/www/html/security-report.html /

    Next Steps

    • Integrate JSON output with Grafana Loki or ELK Stack for centralized reporting
    • Create a .trivyignore file for known false positives
    • Combine with unattended-upgrades, UFW, and Fail2Ban for layered security
    • Pin trivy-action to commit SHA in CI/CD pipelines
    More Deployment GuidesView Cloud VPS Plans