In cloud-native development, ensuring the integrity and security of software artifacts (such as Docker images, Python wheels, and Helm charts) is a fundamental challenge. With the growing adoption of continuous integration and delivery pipelines, there’s a critical need for automation around vulnerability detection and policy enforcement at every stage of the artifact lifecycle.
Two tools that are increasingly adopted for this purpose are Trivy and Open Policy Agent (OPA). Together, they form a powerful combination for scanning and securing artifacts while enabling fine-grained policy control in cloud-native ecosystems
Vulnerability Detection with Trivy
Trivy is a versatile security scanner that supports containers, file systems, and code repositories. It offers several key capabilities critical to securing the software supply chain:
- Vulnerability Detection: Trivy identifies known vulnerabilities (CVEs) across multiple ecosystems. It also benefits from community-driven enhancements, incorporating additional vulnerability data sources and enriched CVE metadata for more comprehensive results.
- License Compliance: Trivy flags packages based on their associated software licenses, helping organizations enforce licensing policies and avoid compliance risks.
- SBOM Generation and Ingestion: Trivy can generate Software Bill of Materials (SBOMs) in widely adopted formats such as SPDX, SPDX JSON, and CycloneDX. It also supports scanning existing SBOMs, including attestations in CycloneDX format, to detect vulnerabilities in declared dependencies.
When integrated into artifact repositories or CI/CD pipelines, Trivy can automatically scan artifacts as they are pushed, surfacing vulnerabilities and license issues early in the development lifecycle.
For example, scanning a Python package like requests==2.6.0 with Trivy immediately surfaces any known issues, along with metadata including CVSS scores and fixed versions:
pip download requests==2.6.0
trivy fs requests-2.6.0-py2.py3-none-any.whl
This helps teams respond quickly to known threats and maintain visibility into their software supply chain.
Automating Remediation with OPA
Detection is only one side of the equation. The CNCF Graduate project OPA enables the enforcement.
OPA is a general-purpose policy engine that supports policy-as-code, making it possible to express complex rules over infrastructure, workloads, or (relevant to Cloudsmith) artifact metadata. OPA policies are written in Rego, a purpose-built declarative language.
A typical policy might look like this:
package cloudsmith # artifact mgmt policy
import rego.v1
default match := false
max_cvss_score := 6
match if {
count(reason) != 0
}
reason contains msg if {
some vulnerability in input.v0.security_scan.Vulnerabilities
vulnerability.FixedVersion
vulnerability.Status == "fixed"
some _, val in vulnerability.CVSS
val.V3Score > max_cvss_score
msg := "CVSS Score >= 6"
}
This rule blocks any package or container image that includes a vulnerability with a CVSS score above 6.0. These policies can be tested in isolation or simulated before being fully enforced, reducing the risk of disrupting builds or deployments during rollout.
Integrating Trivy and OPA in Practice
At Cloudsmith, we use Cloudsmith to secure Cloudsmith. This means combining Trivy and OPA to allow for automated pipelines that:
- Scan every artifact upon ingestion or upload.
- Evaluate vulnerabilities against defined security policies.
- Take action, such as quarantining risky packages, alerting teams, or tagging artifacts for review.
This model moves security left in the DevOps lifecycle, embedding policy enforcement closer to where artifacts are built and stored.
Depending on the platform or ecosystem you’re using, this workflow can be implemented in various ways – either via GitOps-style pipelines, repository-level webhooks, or platform APIs. What’s important is the consistent enforcement of security policies automatically, at scale.
Why This Approach Matters
In cloud-native environments, the scale and speed of deployments often make manual review impractical. Vulnerable packages can propagate quickly if not caught early. By combining scanning with policy automation:
- Teams reduce risk without introducing delays.
- Organizations enforce consistent compliance.
- Security policies can evolve alongside threats and requirements.
And because Trivy and OPA are both open source, this approach supports openness, flexibility, and community best practices.
At Cloudsmith, this exact pattern is used to secure the artifact supply chain. Artifacts are scanned automatically with Trivy on upload, and OPA is used to quarantine packages that violate defined security policies — all without manual intervention.