Docker is useful to easily grab tools based on various images. But as those images will run on your environment or system, you have to at least know what is in or what is missing (security patch, outdated packages).
trivy is a great tool to do that. The output is clear.
But now that i have WSL2, i can use
- a Ubuntu wsl2 image
- Docker decktop wsl2 integration
- install trivy on my Ubuntu image
As from my Ubuntu wsl 2, i can access docker without exposing daemon without TLS.
So now, i can use the following command:
trivy image -s HIGH,CRITICAL mcr.microsoft.com/dotnet/core/sdk:3.1
you can use it too on your CI system. The option --exit-code which is great to get the information without blocking the chain. See this post for Azure Devops.
Hope this help !