Trivy’s HTML dashboard transforms raw scan data into an interactive visual report, making it easier to digest and act on security findings.
Let’s see it in action. Imagine you’ve scanned a Docker image and want a quick overview of its vulnerabilities.
trivy image --format template --template "@contrib/html.tpl" -o report.html your-docker-image:tag
This command tells Trivy to:
image: scan a Docker image.--format template: use a templating engine for output.--template "@contrib/html.tpl": specify the built-in HTML template.-o report.html: write the output to a file namedreport.html.your-docker-image:tag: the image to scan.
After running this, you’ll have an report.html file. Open it in your browser. You’ll see a summary of your image, broken down by vulnerability severity (Critical, High, Medium, Low). You can click on each section to expand it and see the specific CVEs, the affected packages, and even the exact file paths within your image where the vulnerable package resides. It’s not just a list; it’s a navigable, filterable view.
The power of this dashboard lies in its ability to provide context and actionable information at a glance. Instead of sifting through thousands of lines of JSON or text output, you get a clear picture of your risk posture. The template uses Go’s html/template package, allowing Trivy to iterate over its internal data structures (like found vulnerabilities, misconfigurations, secrets, etc.) and render them into HTML. The @contrib/html.tpl is a pre-written template that knows how to structure this data into tables, charts, and clickable elements.
The core problem Trivy solves is vulnerability and misconfiguration detection across various targets (images, filesystems, Git repositories). The HTML dashboard is an output format that enhances the usability of Trivy’s findings. It’s not a separate tool; it’s how Trivy presents its findings when you ask it nicely. You control the level of detail by using other Trivy flags like --severity or --ignore-unfixed. For example, to only see critical and high vulnerabilities in your HTML report:
trivy image --severity CRITICAL,HIGH --format template --template "@contrib/html.tpl" -o high-risk-report.html your-docker-image:tag
The dashboard also supports other scan types. For instance, scanning a directory:
trivy fs --format template --template "@contrib/html.tpl" -o filesystem-report.html /path/to/your/code
One thing many users overlook is that the HTML template itself is customizable. While @contrib/html.tpl is the default, you can copy it, modify it to include custom branding, change the layout, or even add specific filters that are more relevant to your team’s workflow. Trivy’s template engine is powerful enough to let you define exactly how you want to visualize the data it collects.
The next step after generating and reviewing these reports is often integrating them into a CI/CD pipeline, potentially using the --exit-code flag to gate builds based on vulnerability thresholds.