Vulnerability Scanning
Enterprise
This feature requires an Enterprise license.
Vulnerability scanning integrates Trivy to scan container images for known CVEs and security issues. Scan results are displayed with severity levels so you can identify and remediate vulnerabilities before they reach production.
Prerequisites
Trivy must be installed on the backend host or be accessible via PATH. Install Trivy using your preferred method:
# Debian/Ubuntu
sudo apt-get install trivy
# macOS
brew install trivy
# Docker (alternative — ensure the backend container can invoke it)
docker pull aquasec/trivyConfiguration
Vulnerability scanning is configured via environment variables on the backend service:
| Variable | Default | Description |
|---|---|---|
TRIVY_PATH | trivy | Path to the Trivy binary |
TRIVY_TIMEOUT | 300 | Scan timeout in seconds |
Example in docker-compose.yml:
backend:
environment:
TRIVY_PATH: /usr/local/bin/trivy
TRIVY_TIMEOUT: 600Usage
- Navigate to Security (
/security) from the sidebar. - Select an environment and container image to scan.
- Click Scan to start the vulnerability analysis.
- Results are displayed in a table grouped by severity:
| Severity | Meaning |
|---|---|
| Critical | Exploitable vulnerabilities that should be fixed immediately |
| High | Serious vulnerabilities that need attention |
| Medium | Moderate risk — plan for remediation |
| Low | Minor issues with limited impact |
Each result includes the CVE ID, package name, installed version, fixed version (if available), and a description.
TIP
Schedule regular scans for production images. Trivy updates its vulnerability database automatically, so new CVEs are detected on subsequent scans.
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /api/security/scan | Trigger a scan for a given image |
GET | /api/security/results | List scan results |
GET | /api/security/results/:id | Get details for a specific scan |
Frontend Route
| Route | Description |
|---|---|
/security | Security scanning dashboard and results viewer |