logo
Home
Learn

Let’s be real: running trivy image isn’t DevSecOps. It’s just noise generation.

Real security engineering is about signal-to-noise ratio. It’s about building a pipeline that your developers respects, not one they work around. This guide provides the “production-grade” configurations for 17 industry-standard tools to stop vulnerabilities without stopping the business.

Phase 1: Pre-Commit & Local (Shift Left or Go Home)

Catching issues in CI is already too late. You just wasted compute credits and a developer’s context-switching time. Catch it on their laptop.

1. Gitleaks (The Secret Keeper)

Don’t be the company that leaks AWS keys on GitHub.

Most people run Gitleaks blindly. The pros use Baselines.

  • --baseline-path: The golden ticket. Run a fresh scan, save the output. Now Gitleaks ONLY alerts on new secrets.
  • --redact: Mask discovered secrets in the output logs (percentage 0-100). Never double-leak.
  • --enable-rule: Focus on specific secret types (e.g., just AWS keys) by ID.
  • --follow-symlinks: Don’t let secrets hide behind symlinks.
  • --ignore-gitleaks-allow: Disallow the use of inline “skip” comments. Enforce the rules.
  • --max-target-megabytes: Avoid scanning massive binary blobs.

2. Trufflehog (The Verifier)

Finding a string that looks like a key is one thing. Checking if it works is another.

Trufflehog distinguishes itself by verifying credentials against the provider.

  • --no-verification: Faster mode. Skips the “live-check” if you just want static analysis.
  • --results: Filter output by verified (the real danger) or unknown.
  • --filter-entropy: Find high-entropy strings (likely passwords) even without a regex match. Start with 3.0.
  • --detector-timeout: Cap execution time per detector to prevent CI hangs.
  • --archive-max-depth: Don’t get stuck in nested zip-bombs.

3. Opengrep (Fast Static Analysis)

Grep is dead. Long live structural search.

Semgrep-compatible engine for finding bugs using code patterns, not just strings.

  • --baseline-commit: Crucial. Only scan code changed since a specific commit (Delta Scanning).
  • --config: Load custom rules from YAML limits or the registry.
  • --dataflow-traces: Show the full path of how data moves from source to sink.
  • --exclude-minified-files: Skip .min.js and other dense, non-human-readable files.
  • --strict: Fail the build if the config is invalid or WARN level errors occur.

4. Bandit (Python Security)

The standard for Python AST analysis.

  • -t / --tests: Run ONLY specific test IDs (allowlist).
  • -s / --skips: Skip specific test IDs (denylist).
  • --severity-level: Only show results >= low, medium, or high.
  • --confidence-level: Filter out “guesswork”—only show high-confidence findings.
  • --ignore-nosec: See what developers are trying to bypass using # nosec.

5. Dustilock (Dependency Confusion)

Prevent an attacker from injecting a malicious private package.

  • -a: Audit only. Check if you are vulnerable to package name hijacking without stopping the pipeline.

6. Hadolint (Docker Intelligence)

Your Dockerfile sucks. Hadolint knows why.

  • --trusted-registry: Supply chain security. Only allow images from internal.ecr.aws.
  • --strict-labels: Enforce metadata standards (e.g., maintainer, cost-center).
  • --ignore: Silence rules that don’t apply to your build.
  • --error / --warning: Remap rule severities to match your policy.
  • --require-label: Enforce specific label formats (Regex).

7. TFLint (Terraform Logic)

terraform validate is a syntax check. TFLint is a logic check.

  • --enable-plugin: Load provider-specific rules (e.g., AWS, Azure) to check against API specs.
  • --minimum-failure-severity: Control the build-break threshold (Error, Warning, Notice).
  • --call-module-type: Scan all, local, or none modules.
  • --var-file: Inject variables to evaluate conditional logic accurately.

Phase 2: The CI Gatekeepers (Trust, but Verify)

This is the war room. Deep analysis during the build process.

8. Trivy (The Heavy Hitter)

The Swiss Army Knife.

  • --ignore-unfixed: Mandatory. If there’s no patch, don’t fail the build. Monitor it.
  • --ignore-status: Filter out vulnerabilities with specific statuses.
  • --pkg-types: Focus scans on os packages or library dependencies.
  • --offline-scan: Run in air-gapped environments.
  • --include-dev-deps: Don’t ignore devDependencies—they can still compromise the build environment.
  • --list-all-pkgs: Output everything. Essential for generating a complete SBOM.

9. Syft (The SBOM Generator)

You can’t secure what you don’t know you have.

  • --enrich: Add online metadata for richer usage context (Golang, Java, etc.).
  • -s / --scope: Scan all layers (all-layers) or just the final image (squashed).
  • --select-catalogers: Target specific package managers (npm, pip, apk).
  • --platform: Target specific architectures (e.g., arm64).

10. Grype (The SBOM Scanner)

Takes the baton from Syft.

  • -f / --fail-on: Break the build if severity >= medium, high, etc.
  • --only-fixed: Only report vulnerabilities that are actionable.
  • --by-cve: Organize output by CVE ID for tracking.
  • --ignore-states: Ignore generic “wontfix” or “not-affected” statuses.

11. Checkov (IaC Governance)

Prevent cloud misconfigurations before they cost you money.

  • -s / --soft-fail: Warn but don’t break. Best for “observation mode.”
  • --check / --skip-check: white-list or black-list specific checks (CKV_AWS_1).
  • --skip-framework: Ignore entire frameworks (e.g., scan Terraform but skip CloudFormation).
  • --enable-secret-scan-all-files: Extend secret scanning beyond standard config files.
  • --block-list-secret-scan: Exclude specific files from the secret scanner.

12. KICS (Keeping IaC Secure)

The alternative for broad IaC coverage.

  • --exclude-queries: Remove noise by filtering out specific query IDs.
  • --exclude-categories: Filter findings by security domain.
  • --fail-on: Define which severity levels return a non-zero exit code.
  • --minimal-ui: Simplified CLI output for cleaner logs.
  • --disable-secrets: Turn off internal secret scanning (use Gitleaks instead).

13. Terrascan (Policy-as-Code)

Specialized for multi-cloud policy enforcement.

  • -i / --iac-type: Optimize by specifying the platform (k8s, helm, terraform).
  • -t / --policy-type: Filter policies by provider (aws, azure, gcp).
  • --severity: Define the minimum severity to report.
  • --non-recursive: Scan only the current directory.

14. OWASP Dependency-Check (Legacy & Compliance)

The heavy lifter for Java and .NET SCA.

  • --failOnCVSS: Break the build if any library exceeds a CVSS score (e.g., 7.0).
  • --suppression: Use an XML file to “mute” known safe vulnerabilities (VEX-lite).
  • --enableExperimental: Use new analyzers for less common languages.

15. DevSkim (Polyglot Hygiene)

Developer-centric IDE and CI checks.

  • --rule-ids: Limit analysis to specific rules.
  • --ignore-globs: Use standard glob patterns to skip noisy files.
  • --skip-git-ignored-files: Automatically sync with .gitignore.
  • --skip-excerpts: Keep reports small by removing code samples.

Phase 3: Runtime & Artifacts (The Final Line)

Scanning the final artifact or the live environment.

16. Clamscan (Malware Defense)

Because sometimes people upload viruses to your S3 bucket.

  • --exclude / --exclude-dir: Skip file/directory patterns to save time.
  • --detect-pua: Look for “Potentially Unwanted Applications” (adware, miners).
  • --detect-structured: Scan for sensitive data patterns like Credit Cards/SSNs.
  • --scan-pdf / --scan-html: Enable deep inspection for document types.
  • --cross-fs: Allow scanning across different filesystems (use with caution).

17. Nuclei (The Hacker’s Knife)

Templated scanning that feels illegal.

  • -t / --templates: Run specific template files or directories.
  • -tags: Target scans based on tech (e.g., wordpress, cve).
  • -s / --severity: Filter templates by impact level.
  • -fr / --follow-redirects: Follow HTTP 301/302 redirects to find the payload.
  • -passive: Scan by looking at existing headers/responses without sending new “attacks.”
  • -etags fuzz: Exclude fuzzing templates in production.

Summary: The “Perfect” Pipeline

  1. Local: pre-commit runs Gitleaks (baseline), Trufflehog (verified), & Hadolint.
  2. Build: Trivy scans deps (--ignore-unfixed). Syft generates SBOM. Dependency-Check for compliance.
  3. Test: Checkov & KICS scan Terraform plan. Opengrep checks code patterns.
  4. Artifact: Clamscan checks the final binary/assets.
  5. Deploy: Nuclei sanity checks the live endpoint.

Tune your tools, or they will tune you out.

Plexicus made all that easier

With one unified dashboard, and access to all of our tools integrations, it will take only a few clicks Plexicus

Written by
Rounded avatar
José Palanco
José Ramón Palanco is the CEO/CTO of Plexicus, a pioneering company in ASPM (Application Security Posture Management) launched in 2024, offering AI-powered remediation capabilities. Previously, he founded Dinoflux in 2014, a Threat Intelligence startup that was acquired by Telefonica, and has been working with 11paths since 2018. His experience includes roles at Ericsson`s R&D department and Optenet (Allot). He holds a Telecommunications Engineering degree from the University of Alcala de Henares and a Master`s in IT Governance from the University of Deusto. As a recognized cybersecurity expert, he has been a speaker at various prestigious conferences including OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin. His contributions to the cybersecurity field include multiple CVE publications and the development of various open source tools such as nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, and more.
Read More from José
Share
PinnedCybersecurity

Plexicus Goes Public: AI-Driven Vulnerability Remediation Now Available

Plexicus launches AI-driven security platform for real-time vulnerability remediation. Autonomous agents detect, prioritize, and fix threats instantly.

View More
plexicus-goes-public-ai-driven-vulnerability-remediation-now-available-for-all
plexicus
Plexicus

Unified CNAPP Provider

Automated Evidence Collection
Real-time Compliance Scoring
Intelligent Reporting

Related posts

Cut the Noise: Make Your Security Tools Actually Work for You
Learn
devsecopscybersecuritysecurity tools
Cut the Noise: Make Your Security Tools Actually Work for You

Installing a security tool is the easy part. The hard part begins on 'Day 2,' when that tool reports 5,000 new vulnerabilities. This guide focuses on vulnerability management: how to filter out duplicate alerts, manage false positives, and track the metrics that actually measure success. Learn how to move from 'finding bugs' to 'fixing risks' without overwhelming your team.

November 26, 2025
José Palanco
Frictionless Security: Integrating Tools into the Developer Workflow
Learn
devsecopscybersecuritysecurity tools
Frictionless Security: Integrating Tools into the Developer Workflow

Developer Experience (DevEx) is key when choosing security tools. Security should make the developer’s job easier, not harder. If developers have to leave their coding environment or use another dashboard to find issues, it slows them down and makes them less likely to use the tools.

November 26, 2025
Khul Anwar
The DevSecOps Arsenal: Zero to Hero
Learn
devsecopscybersecuritysecurity toolsvulnerability managementci-cd
The DevSecOps Arsenal: Zero to Hero

Running `trivy image` isn't DevSecOps—it's noise generation. Real security engineering is about signal-to-noise ratio. This guide provides production-grade configurations for 17 industry-standard tools to stop vulnerabilities without stopping the business, organized into three phases: pre-commit, CI gatekeepers, and runtime scanning.

January 12, 2026
José Palanco