Favicon of trivy

trivy

Security scanner that finds vulnerabilities, misconfigurations, exposed secrets, and license issues across containers, filesystems, and Kubernetes.

Trivy is a security scanner built to cover a wide range of targets and issue types from a single tool. Rather than running separate tools for vulnerability scanning, misconfiguration checks, and secret detection, Trivy handles all of them, aimed at developers, DevOps, and security teams who need to catch security issues in code and infrastructure before or after deployment.

Key features

  • Multiple scan targets: Trivy scans container images, filesystems, remote Git repositories, virtual machine images, and Kubernetes clusters.
  • Vulnerability detection: It identifies known CVEs in OS packages and software dependencies, generating a software bill of materials (SBOM) in the process.
  • Misconfiguration and IaC scanning: Trivy finds infrastructure-as-code issues and misconfigurations, useful for catching problems in Terraform, Kubernetes manifests, and similar files before they're deployed.
  • Secret detection: It scans for sensitive information and secrets accidentally committed to code or embedded in images.
  • License scanning: Trivy also reports on software licenses in use, which matters for compliance in regulated environments.
  • Broad language and platform coverage: The project maintains a dedicated scanning coverage page listing the programming languages, operating systems, and platforms Trivy supports.
  • Wide ecosystem integration: Official integrations exist for GitHub Actions, a Kubernetes operator, and a VS Code extension, among others documented on the project's ecosystem page.
  • Simple, consistent CLI: Every scan follows the same basic pattern of a target type, optional scanner selection, and a subject, whether you're scanning a container image, a local directory, or a live cluster.

Ideal use cases

Trivy fits teams that want a single scanner covering CI pipelines, container registries, Kubernetes clusters, and local development, rather than assembling several point tools for vulnerabilities, secrets, and IaC issues separately. It's a natural fit for a CI/CD pipeline step that fails a build on critical CVEs, a pre-deployment check on Kubernetes manifests, or a periodic scan of running cluster workloads via trivy k8s. Teams already invested in the Aqua Security ecosystem, or considering it, will find Trivy a natural entry point, since Aqua builds on top of it for more advanced commercial capabilities.

It's less suited as a standalone solution if you need enterprise features like centralized policy management, historical trend reporting across an organization, or dedicated support; that's the gap Aqua's commercial product is positioned to fill on top of Trivy. Teams should also treat canary builds, generated from every push to the main branch, as unstable and unsuitable for production use, since the project explicitly warns they may contain critical bugs.

Installation

Trivy is available through most common distribution channels. A few of the most popular:

# Homebrew
brew install trivy

# Docker
docker run aquasec/trivy

Binaries can also be downloaded directly from the latest GitHub release. The full list of installation options, including OS-specific package managers, is documented on the project's installation page.

Basic usage follows a consistent pattern across all target types:

trivy <target> [--scanners <scanner1,scanner2>] <subject>

For example, scanning a container image for vulnerabilities:

trivy image python:3.4-alpine

Or scanning a filesystem for vulnerabilities, secrets, and misconfigurations in one pass:

trivy fs --scanners vuln,secret,misconfig myproject/

For a live Kubernetes cluster, a summary report can be generated with:

trivy k8s --report summary cluster

Canary builds are published to Docker Hub, GitHub, and ECR on every push to main, but are explicitly not recommended for production use. For questions or support, the project points users to GitHub Discussions rather than a separate support channel.

Trivy is developed as an Aqua Security open source project, and the project asks contributors and users to follow its Code of Conduct in all interactions. The name is pronounced with "tri" like trigger and "vy" like envy, according to the project's own FAQ.

Frequently asked questions

Share:

Stars
36.8K
Forks
530
Last commit
3 hours ago
Repository age
7 years
License
Apache-2.0
Self-hosted
No
Activity score
81/100
View Repository
Built with:

Similar to trivy

Favicon

 

  
  
Favicon

 

  
  
Favicon