Trivy
A single scanner for vulnerabilities, misconfigurations, secrets and SBOM across containers, filesystems, IaC and clouds
⚡ TL;DR
🎯 The Problem It Solves
Modern attack surface isn\'t one thing — it\'s your container images, your Terraform, your Kubernetes manifests, your Git repo secrets. Trivy consolidates all of that scanning into one fast CLI so you don\'t bolt together five tools. Point it at an image or a repo and get a unified findings report.
🔧 How It Works
Trivy scans multiple targets: container images (layer-by-layer CVE matching against its DB), filesystems, IaC files (Terraform, Kubernetes, CloudFormation — checked against policy like CIS), and repositories (for exposed secrets). It emits an SBOM (CycloneDX/SPDX) and can enforce policy via admission control (Trivy-Operator) or gate a CI pipeline. It\'s the scanning engine behind many commercial container-security products.
🚀 Installation & Quick Start
Installation
apt install trivyQuick Start
- Install: brew install trivy (or apt install trivy / docker run aquasec/trivy)
- Scan an image: trivy image nginx:latest
- Scan IaC: trivy config ./terraform/
- Scan a repo for secrets: trivy repo .
- Generate SBOM: trivy image --format cyclonedx nginx:latest > sbom.json
✅ Pros
- •One tool replaces several — huge simplification for DevSecOps
- •Fast and easy to drop into CI as a merge gate
- •SBOM + policy enforcement, not just a vuln list
- •Free, open source, and the de-facto OSS container scanner
❌ Cons
- •Image scans can slow CI if you don't cache the vulnerability DB
- •Misconfiguration findings can be noisy without policy tuning
- •SBOM output is only as good as what's in the image/build
- •Very large images eat memory at scan time
💬 Practitioner Verdict
"Trivy is the pragmatic default for cloud-native scanning: one CLI, every target type, easy CI gating. If you run containers or IaC and aren\'t scanning yet, start here. The only friction is tuning the noise down so your gate means something."
📊 Specifications
- Language
- Go
- License
- Apache-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Vulnerability Management / Supply Chain
- MITRE ATT&CK
- T1195, T1195.001
💰 Pricing Reality
Free and open source (Apache-2.0). Aqua Security (the maintainer) sells commercial features (advanced RBAC, enterprise policy, UI) on top; the scanner is unrestricted.