This guide explains how to read and interpret the vulnerability scan reports generated by the Published Images Vulnerability Scanning workflow. It is intended for support, sales, and other non-developer audiences.
The workflow performs three types of scans on each published Docker image:
| Scan Type | What It Checks | Scanner |
|---|---|---|
| OS & Application Libraries | Operating system packages (Debian/Ubuntu) and top-level Java libraries | Trivy |
| Nested JAR Dependencies | Libraries bundled inside Liquibase JARs (Spring Boot fat JARs, extensions) | Trivy |
| SBOM-based Scan | Software Bill of Materials - a complete inventory of all components | Grype |
| Term | Definition |
|---|---|
| CVE | Common Vulnerabilities and Exposures - a unique identifier for a security vulnerability (e.g., CVE-2025-12345) |
| CVSS | Common Vulnerability Scoring System - a numeric score (0.0-10.0) that measures vulnerability severity. Scores: 0.0 = None, 0.1-3.9 = Low, 4.0-6.9 = Medium, 7.0-8.9 = High, 9.0-10.0 = Critical |
| NVD | National Vulnerability Database - the U.S. government's repository of vulnerability data, managed by NIST |
| GHSA | GitHub Security Advisory - GitHub's database of security vulnerabilities |
| Trivy | An open-source vulnerability scanner by Aqua Security |
| Grype | An open-source vulnerability scanner by Anchore |
| SBOM | Software Bill of Materials - a complete list of all software components in an image |
| HIGH/CRITICAL | Severity ratings indicating vulnerabilities that should be prioritized for remediation |
| Parent JAR | The main Liquibase JAR file that contains nested dependencies |
| Nested JAR | A library bundled inside another JAR file (common in Spring Boot applications) |
| Column | Description |
|---|---|
| Package | The name of the vulnerable software component |
| Parent JAR | Which Liquibase JAR contains this vulnerable dependency |
| NVD | Link to the vulnerability details in the National Vulnerability Database |
| GitHub Advisories | Link to search for related security advisories on GitHub |
| CVE Published | Date the vulnerability was publicly disclosed |
| Trivy Severity | Trivy's assessment of the vulnerability severity (HIGH or CRITICAL) |
| CVSS | The CVSS v3 numeric score (0.0-10.0) from NVD or vendor database. Higher scores indicate more severe vulnerabilities |
| Trivy Vendor Data | Severity rating from the software vendor's security team (may differ from Trivy's assessment) |
| Grype Severity | Grype scanner's assessment of vulnerability severity |
| Installed | The version currently installed in the image |
| Fixed | The version that contains the fix (if available) |
| Fix? | Whether a fix is available: ✅ = yes, ❌ = no (must wait for upstream fix) |
The "Trivy Vendor Data" column shows severity ratings from different security databases:
| Prefix | Source | Description |
|---|---|---|
nvd |
NVD | National Vulnerability Database (U.S. government) |
ghsa |
GHSA | GitHub Security Advisories |
rh |
Red Hat | Red Hat Product Security |
amz |
Amazon | Amazon Linux Security Center |
ora |
Oracle | Oracle Linux Security |
bit |
Bitnami | Bitnami Vulnerability Database |
alma |
AlmaLinux | AlmaLinux Errata |
rky |
Rocky | Rocky Linux Errata |
Note: Vendor severity ratings come from Trivy's database and may occasionally differ from the current assessment on the vendor's website.
| Level | Code | Description |
|---|---|---|
| LOW | L | Minor impact, low priority |
| MEDIUM | M | Moderate impact, should be addressed |
| HIGH | H | Significant impact, prioritize remediation |
| CRITICAL | C | Severe impact, address immediately |
After each scan, the following artifact is available for download:
vulnerability-report-{community|secure}-{version}- Detailed markdown report with all vulnerability information
To download: Go to the workflow run > scroll to "Artifacts" section > click the download icon.
- No vulnerabilities found - The image passed all scans with no HIGH/CRITICAL issues
- Vulnerabilities with fixes available (✅) - These can be resolved by updating dependencies
- Vulnerabilities without fixes (❌) - Must wait for upstream maintainers to release patches
- Same CVE in multiple scanners - Normal; different scanners may detect the same issue
Q: Why do Trivy and Grype sometimes show different results? A: Each scanner uses different vulnerability databases and detection methods. Having multiple scanners provides more comprehensive coverage.
Q: What does "Parent JAR: (internal)" mean? A: The vulnerable component is part of Liquibase's core libraries, not a nested dependency from an extension.
Q: Why is the vendor severity different from what I see on their website? A: Trivy's database may not always be synchronized with the latest vendor assessments. The linked vendor URL shows the current rating.
Q: How often are published images scanned? A: The workflow runs Monday-Friday at 10 AM UTC, scanning the most recent tags of each image.
Q: Where can I view the scan results? A: Go to the repository's Actions tab > "Published Images Vulnerability Scanning" workflow > select a run > view the summary or download artifacts.
| Schedule | Time | Description |
|---|---|---|
| Weekdays | 10:00 AM UTC | Automatic scan of published images |
| Manual | On-demand | Can be triggered manually via "Run workflow" button |
- Vulnerability Scanning Scripts - Technical documentation for developers
- Trivy Documentation - Official Trivy scanner documentation
- Grype Documentation - Official Grype scanner documentation
- NVD - National Vulnerability Database