Trivy : Securing Your Software Supply Chain

In today’s interconnected software ecosystem, a single vulnerable dependency can compromise your entire supply chain. Enter Trivy — a powerful, open-source scanner that’s fast becoming the developer’s go-to tool for securing everything from Docker images to SBOMs, IaC, and more.

This talk takes you on a journey through real-world patterns of how security blind spots can be discovered using Trivy. We’ll will explore how Trivy can be used as part of your CI/CD pipelines, secure infrastructure code, scan containers before they reach production, and even validate SBOMs for compliance.

You’ll walk away with a strong understanding of:

• What Trivy scans (and what it doesn't)

• How it fits into a DevOps pipeline

• How to prevent supply attacks before they occur

• Bonus: how to scale and automate scans in large orgs

If you’ve ever wondered how to make security practical, developer-friendly, and truly proactive — this talk is what you need to hear

Key Take ways :

• Why software supply chain security is critical (with real examples)

• How Trivy helps secure code, containers, SBOMs, and IaC

• How to shift security left without slowing teams down

• Tips for integrating Trivy into GitHub Actions, GitLab, and other CI/CD systems

• Patterns for managing scan outputs, false positives, and automation