Skip to main content
InfraAudit uses Trivy as its built-in vulnerability scanner and enriches every finding with data from the National Vulnerability Database (NVD). No separate Trivy installation is required — it’s bundled inside the InfraAudit API container.

What gets scanned

Trivy scans:
  • Container images referenced in Kubernetes pods and deployments
  • OS packages (Alpine, Debian, Ubuntu, CentOS, and others)
  • Application dependencies: Go modules, Python pip/conda, Node.js npm/yarn, Ruby gems, Java Maven/Gradle, .NET NuGet

How the scan flow works

1

Identify scannable artifacts

For each connected resource, InfraAudit identifies artifacts to scan — for example, the container image nginx:1.24 running in a Kubernetes pod.
2

Trivy scans the image

Trivy scans the image and produces a list of CVE matches with the affected package names and versions.
3

NVD enrichment

InfraAudit queries the NVD API for each unique CVE ID to fetch the CVSS v3 score, severity rating, and description.
4

Findings are stored

Enriched findings are stored with their severity, fix version (if available), and status. Findings above the configured severity threshold trigger alerts.

What each finding includes

After NVD enrichment, each vulnerability finding contains:
  • CVSS v3 base score and vector string
  • Severity: Critical, High, Medium, or Low (based on the CVSS score)
  • CVE description from the NVD advisory
  • References — vendor bulletins, patches, and advisories
  • Fix version, if published by the NVD

Configuration

The following environment variables control scanning behavior (set in your .env file for self-hosted deployments): 
# Only store findings at or above this severity level
VULN_SEVERITY_THRESHOLD=medium

# Trivy cache directory inside the container
TRIVY_CACHE_DIR=/tmp/trivy-cache

# NVD API key (optional, but recommended for high-volume scanning)
NVD_API_KEY=

# Custom Trivy DB for air-gapped environments
TRIVY_DB_REPOSITORY=

NVD API key

Without an NVD API key, the NVD endpoint applies rate limiting that can slow down enrichment for large scans. For production use or frequent scans, obtain a free API key:
1

Register for an API key

Go to nvd.nist.gov/developers/request-an-api-key and complete the registration form.
2

Add the key to your configuration

NVD_API_KEY=your-nvd-api-key
3

Restart the API

docker compose restart api

Update the Trivy database

The Trivy vulnerability database is cached in /tmp/trivy-cache/ inside the API container. It’s updated automatically on each container restart. To force an immediate update: 
docker compose restart api

Air-gapped deployments

For environments without internet access:
1

Mirror the Trivy database

Mirror the Trivy DB to an internal OCI registry following Trivy’s air-gapped documentation.
2

Configure the custom DB repository

TRIVY_DB_REPOSITORY=your-private-registry.example.com/trivy-db:2
3

Handle NVD enrichment

Either host an NVD mirror or omit the NVD_API_KEY setting to rely on Trivy’s built-in severity ratings without NVD descriptions.

Mark false positives as ignored

If a vulnerability doesn’t apply to your environment — for example, the vulnerable code path is not reachable — mark the finding as ignored to prevent alert noise: 
infraudit vulnerability update <vuln-id> \
  --status ignored \
  --reason "not exploitable in this deployment"
Ignored findings are excluded from reports and compliance metrics by default but remain visible in the full findings list with an ignored label.