Replace deprecated microscanner with Trivy security scanner

multi-stage-scanning/Dockerfile

@@ -74,14 +74,26 @@ FROM test as audit
 
 RUN npm audit
 
-# aqua microscanner, which needs a token for API access
-# note this isn't super secret, so we'll use an ARG here
-# https://github.com/aquasecurity/microscanner
-ARG MICROSCANNER_TOKEN
-ADD https://get.aquasec.com/microscanner /
-RUN chmod +x /microscanner
-RUN apk add --no-cache ca-certificates && update-ca-certificates
-RUN /microscanner $MICROSCANNER_TOKEN --continue-on-failure
+# Trivy security scanner (replaces deprecated microscanner)
+# https://github.com/aquasecurity/trivy
+ENV TRIVY_VERSION=0.35.0
+# Use BuildKit to help translate architecture names
+ARG TARGETPLATFORM
+RUN case ${TARGETPLATFORM} in \
+         "linux/amd64")    ARCH=amd64  ;; \
+         "linux/arm64")    ARCH=arm64  ;; \
+         "linux/arm64/v8") ARCH=arm64  ;; \
+         "linux/arm/v7")   ARCH=arm    ;; \
+         *)                ARCH=amd64  ;; \
+    esac \
+    && apk add --no-cache wget ca-certificates \
+    && update-ca-certificates \
+    && wget --progress=dot:giga https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz \
+    && tar zxf trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz \
+    && mv trivy /usr/local/bin/ \
+    && rm trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz
+COPY . .
+RUN trivy fs --severity "HIGH,CRITICAL" --no-progress --security-checks vuln .
 
 
 ## Stage 6 (default, production)

multi-stage-scanning/README.md

@@ -0,0 +1,49 @@
+# Multi-Stage Scanning Example
+
+This example demonstrates a multi-stage Docker build with integrated security scanning.
+
+## Security Scanning: Microscanner → Trivy Migration
+
+**⚠️ Important Update:** This example has been updated to use Trivy instead of the deprecated Aqua Microscanner.
+
+### Why the Change?
+
+- **Aqua Microscanner** has been deprecated for several years
+- **Trivy** is the modern replacement and actively maintained successor
+- Trivy provides better vulnerability detection and performance
+
+### What Changed
+
+The security scanning stage (Stage 5) now uses:
+- ✅ **Trivy**: Modern, fast, and comprehensive vulnerability scanner
+- ❌ ~~Microscanner~~: Deprecated and no longer maintained
+
+### Using This Example
+
+1. **Build the image:**
+   ```bash
+   docker build -t scanning-example .
+   ```
+
+2. **Build specific stages:**
+   ```bash
+   # Build and run security scan
+   docker build --target audit -t scanning-example:audit .
+
+   # Build production image
+   docker build --target prod -t scanning-example:prod .
+   ```
+
+3. **Run in development:**
+   ```bash
+   docker-compose up
+   ```
+
+### Note
+
+This example uses Node.js 10 which may have compatibility issues with newer package-lock.json formats. Consider updating to a more recent Node.js version for production use.
+
+### Learn More
+
+- [Trivy Documentation](https://aquasecurity.github.io/trivy/)
+- [Docker Multi-Stage Builds](https://docs.docker.com/develop/dev-best-practices/dockerfile_best-practices/#use-multi-stage-builds)

ultimate-node-dockerfile/README.md

@@ -23,7 +23,7 @@ Goal: take the Dockerfile in this directory and make it the ULTIMATE for a combi
 
 ## BONUS
 
-* Add a security scanner to test stage and test it. Trivy (replaced microscanner) [trivy](https://github.com/aquasecurity/trivy)
+* Add a security scanner to test stage and test it. Use **Trivy** (the modern replacement for deprecated microscanner). See [Trivy documentation](https://github.com/aquasecurity/trivy).
 * Add Best Practices from an earlier section, including:
   * Enable BuildKit and try a build.
   * Add tini to images so containers will receive shutdown signals.