This content originally appeared on DEV Community and was authored by Ola Abaza
.trivyignore is a configuration file used by Trivy, an open-source vulnerability scanner for containers, Kubernetes, and other dependencies.
Containers
A container is a lightweight, standalone package that includes:
The application code (e.g., your React Native backend service, or a Node.js API)
Its dependencies (libraries, runtimes like Node.js, Python, Java, etc.)
The OS-level binaries needed to run
Think of it like a zip file that has everything your app needs so it runs the same way on any machine.
Kubernetes (K8s)3
Kubernetes is a system that helps you run and manage containers across multiple machines.
With Kubernetes:
- You describe what you want (e.g., “I need 5 containers of my RN backend always running”).
- Kubernetes automatically deploys, scales, heals, and load-balances containers.
Think of it like a container orchestrator or a “manager for containers.”
Example:
- You write a YAML file (deployment.yaml) that says:
- Run 5 replicas of my RN backend container.
- Expose them via a service on port 3000.
- Kubernetes ensures those 5 are always running. If one dies → it restarts it.
Container = a package of your app + everything it needs to run.
Kubernetes = a system that runs and manages lots of containers reliably.
What is Trivy?
Trivy is a security scanning tool developed by Aqua Security that detects:
- OS package vulnerabilities (e.g., in Alpine, Debian, Ubuntu)
- Application dependencies vulnerabilities (e.g., npm, pip, Maven)
- Container image vulnerabilities
- Infrastructure as Code (IaC) misconfigurations
What is .trivyignore?
.trivyignore is a file that allows you to ignore specific vulnerabilities found by Trivy. This is useful when you:
- Acknowledge a vulnerability but determine it doesn’t affect your project.
- Are waiting for an upstream fix and want to suppress noise.
- Need to whitelist known issues for compliance reasons.
How to use .trivyignore?
- Create a .trivyignore file in your project root.
- Add the vulnerability IDs you want to ignore.
CVE-2022-1234
CVE-2021-5678
Trivy will skip reporting these vulnerabilities in scans.
This content originally appeared on DEV Community and was authored by Ola Abaza