Running Trivy Security Scanner from Docker on macOS

Goal: Run Trivy security scanner using Docker without installing it locally.

Official documentation: https://aquasecurity.github.io/trivy/v0.38/

Basic Usage

docker run aquasec/trivy version

Scan Local Filesystem

docker run -v /host/src/to/scan:/target aquasec/trivy --debug fs /target > trivy-output-report.txt

Output file is created in your current directory.

https://aquasecurity.github.io/trivy/v0.20.2/getting-started/cli/fs/

Scan Git Repository

Public repositories only: https://aquasecurity.github.io/trivy/v0.20.2/vulnerability/scanning/git-repository/

docker run aquasec/trivy repo REPO_URL

Scan .NET Projects

Trivy requires packages.config or *.deps.json files. For projects using <PackageReference/>, build first to generate the deps file:

git clone https://luismesaaily@bitbucket.org/AilyLabs/aily-api.git
dotnet build SRC/SOLUTION.sln
docker run -v /HOST/SRC:/target aquasec/trivy --debug fs /target > trivy-output-report.txt

The build outputs PROJECT.deps.json to the bin folder, which Trivy uses for dependency scanning. Remote scans won’t work for .NET solutions without this file.