Articles

Trivy Docker Official Images: Audit Base Layer CVEs (2026)

April 6, 2026 6 min read

Trivy can audit your Docker base image for CVEs, but it might not be showing you the full picture because it only scans the layers Trivy itself is aware of.

Common Causes and Fixes for Missing Base Layer CVEs in Trivy Scans

The core issue is that Trivy, by default, might not be aware of all the layers that constitute your Docker image, especially if those layers are built by other tools or are very old. This can lead to missed CVEs in the base operating system packages. Here’s a breakdown of what’s likely happening and how to fix it:

  1. Trivy’s Layer Cache Misses or Incompleteness:

    • Diagnosis: Trivy maintains a cache of scanned image layers to speed up subsequent scans. If this cache is stale or was cleared, Trivy might re-download and re-scan layers it already knows about, potentially missing nuances in how a base image was constructed. The most direct way to see if Trivy is even seeing the layers is to run it with verbose output and inspect the layer hashes it reports.
      trivy image --debug your-image:tag
      Look for lines indicating which layers are being scanned or skipped due to cache.
    • Fix: Explicitly tell Trivy to ignore its cache for a scan. This forces a fresh analysis of all layers.
      trivy image --cache-dir "" your-image:tag
      This command tells Trivy to use an empty directory for its cache, effectively disabling caching for that specific run. This ensures every layer is analyzed from scratch.
    • Why it works: By bypassing the cache, Trivy is forced to re-evaluate every layer’s content and metadata, ensuring it doesn’t rely on potentially outdated cached information about the base image’s package manifest.

  2. Base Image Rebuilds Without Tag Changes:

    • Diagnosis: Sometimes, base images (like ubuntu:20.04 or alpine:3.16) are rebuilt by their maintainers to include security patches. If you’re using a tag that hasn’t changed its digest, your Docker daemon might be using an older, cached version of that base image layer, and Trivy will scan that older version. You can check the digest of your image and compare it to what you expect.
      
docker image inspect --format='{{.Id}}' your-image:tag
      Then, check the upstream registry for the latest digest of the base image tag you’re using. If your local digest is older, you’re not getting the latest base.
    • Fix: Force a pull of the base image to ensure you have the latest version, then rebuild your image.
      docker pull ubuntu:20.04  # Or your specific base image
docker build -t your-image:tag .
trivy image your-image:tag
      The docker pull command explicitly fetches the latest manifest and layers for the specified tag. Rebuilding the image then incorporates these updated base layers.
    • Why it works: This ensures that when Trivy scans your-image:tag, it’s actually scanning an image built upon the most recently updated base image layers available in the registry.

  3. Non-Standard Base Image Construction (Multi-stage Builds):

    • Diagnosis: If your Dockerfile uses multi-stage builds and the final image is significantly different from the initial base, Trivy might struggle to correctly attribute packages to the original base layer if intermediate layers are optimized away or heavily modified. Inspecting the docker history can reveal the actual commands that built each layer.
      docker history your-image:tag
      Look for the earliest layers and the commands that created them.
    • Fix: When scanning, explicitly target the original base image digest if you suspect it’s being obscured. Alternatively, ensure your final image is built directly from a known, patched base or that intermediate layers don’t inadvertently hide base OS vulnerabilities.
      # Scan a specific base image that your multi-stage build might be derived from
trivy image ubuntu:20.04
# Or, if you know the digest of the base layer you want to audit:
trivy image --input your-image.tar --platform linux/amd64 --base-image-digest sha256:abcdef...
      Targeting the base image directly or providing its digest forces Trivy to analyze that specific starting point, irrespective of subsequent build steps.
    • Why it works: This forces Trivy to focus its analysis on the fundamental building blocks of your image, bypassing any complexities introduced by intermediate build stages that might obscure the original base OS package versions.

  4. Trivy’s Package Manager Detection Limitations:

    • Diagnosis: Trivy relies on detecting the package manager (e.g., apt, apk, yum) within an image to know how to query for installed packages and their versions. If a base image uses a highly customized or obscure package manager, or if the standard detection mechanism fails, Trivy might not report any OS packages.
      trivy image --debug your-image:tag | grep -i "package manager"
      This will show you which package managers Trivy thinks are present.
    • Fix: Manually specify the package manager type for the scan.
      trivy image --pkg-manager apt your-image:tag
# or
trivy image --pkg-manager apk your-image:tag
      This explicit declaration overrides Trivy’s detection logic, ensuring it uses the correct tools to inspect the base image’s package database.
    • Why it works: By telling Trivy exactly which package manager to use, you circumvent potential detection failures, allowing it to correctly identify and query the installed OS packages for known vulnerabilities.

  5. Outdated Trivy Version:

    • Diagnosis: Trivy’s vulnerability database and its internal logic for understanding image layers are continuously updated. An older version might not recognize newer base image structures or have the latest vulnerability information.
      trivy --version
      Compare this to the latest release on the Trivy GitHub repository.
    • Fix: Update Trivy to the latest stable version.
      # Example for Linux (check official docs for other OS/methods)
sudo apt-get update && sudo apt-get install -y trivy
# Or download the latest binary from GitHub releases
      Regularly updating Trivy ensures you have the most current vulnerability definitions and improved scanning capabilities for newer image formats and base OS versions.
    • Why it works: Newer Trivy versions include updated vulnerability databases and improved parsers for various package managers and image formats, increasing the likelihood of detecting all relevant CVEs in your base image.

  6. Image Not Fully Built (Incomplete docker build):

    • Diagnosis: If the docker build process was interrupted or failed before completing all layers, Trivy might be scanning an incomplete or corrupted image. Check the docker build output carefully for any errors.
      docker build -t your-image:tag .
      Review the output for any non-zero exit codes or error messages.
    • Fix: Ensure the docker build command completes successfully without errors. If it fails, address the underlying build issue and rerun the build.
      # Rerun the build after fixing errors
docker build -t your-image:tag .
trivy image your-image:tag
      A successful build ensures all layers are present and correctly formed, providing Trivy with a complete image to analyze.
    • Why it works: Trivy can only scan what’s actually present in the image. A complete build guarantees that all layers, including those from the base image, are available for inspection.

The next error you might encounter, after ensuring your base image is fully audited, is Trivy reporting vulnerabilities in your application dependencies, which are a separate scanning concern.

More Deep Dives in Trivy

Want structured learning?

Take the full Trivy course →