In a modern pipeline, security cannot be a "gate" at the end; it must be a "filter" throughout. I integrated Trivy and Snyk to ensure that no image with a "Critical" CVE ever touches our production ECR.
1. Container Scanning with Trivy
Trivy is incredibly fast and works locally. We added a step in our GitHub Action to fail the build if a high-severity vulnerability is found in the base image.
# Github Action step for Trivy scanning
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'thedevspectrum/api:${{ github.sha }}'
format: 'table'
exit-code: '1' # This fails the CI build
ignore-unfixed: true
severity: 'CRITICAL,HIGH'2. Dependency Scanning with Snyk
While Trivy handles the "container," Snyk handles the "code." It looks at your package.json or go.mod to find vulnerable libraries. Architect's Note: We specifically configure Snyk to monitor "Reachability." Just because a library has a CVE doesn't mean your code is calling the vulnerable function. This reduces "Developer Fatigue" by filtering out non-exploitable noise.
3. The Result
By shifting security left, we reduced our "Mean Time to Remediate" (MTTR) for vulnerabilities from 14 days to less than 24 hours. The developers see the error in the PR, fix the version, and re-push—all before a security auditor even sees the report.