🔒SecurityRepoIndex

Trivy

A single scanner for vulnerabilities, misconfigurations, secrets and SBOM across containers, filesystems, IaC and clouds

4.6/ 536,866 GitHub starsGoApache-2.0

⚡ TL;DR

What
A single scanner for vulnerabilities, misconfigurations, secrets and SBOM across containers, filesystems, IaC and clouds
Who
DevSecOps / platform engineers, Cloud security teams, Container/K8s engineers, AppSec teams
Catch
Image scans can slow CI if you don't cache the vulnerability DB
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Modern attack surface isn\'t one thing — it\'s your container images, your Terraform, your Kubernetes manifests, your Git repo secrets. Trivy consolidates all of that scanning into one fast CLI so you don\'t bolt together five tools. Point it at an image or a repo and get a unified findings report.

🔧 How It Works

Trivy scans multiple targets: container images (layer-by-layer CVE matching against its DB), filesystems, IaC files (Terraform, Kubernetes, CloudFormation — checked against policy like CIS), and repositories (for exposed secrets). It emits an SBOM (CycloneDX/SPDX) and can enforce policy via admission control (Trivy-Operator) or gate a CI pipeline. It\'s the scanning engine behind many commercial container-security products.

🚀 Installation & Quick Start

Installation

apt install trivy

Quick Start

  1. Install: brew install trivy (or apt install trivy / docker run aquasec/trivy)
  2. Scan an image: trivy image nginx:latest
  3. Scan IaC: trivy config ./terraform/
  4. Scan a repo for secrets: trivy repo .
  5. Generate SBOM: trivy image --format cyclonedx nginx:latest > sbom.json

✅ Pros

  • One tool replaces several — huge simplification for DevSecOps
  • Fast and easy to drop into CI as a merge gate
  • SBOM + policy enforcement, not just a vuln list
  • Free, open source, and the de-facto OSS container scanner

❌ Cons

  • Image scans can slow CI if you don't cache the vulnerability DB
  • Misconfiguration findings can be noisy without policy tuning
  • SBOM output is only as good as what's in the image/build
  • Very large images eat memory at scan time

💬 Practitioner Verdict

"Trivy is the pragmatic default for cloud-native scanning: one CLI, every target type, easy CI gating. If you run containers or IaC and aren\'t scanning yet, start here. The only friction is tuning the noise down so your gate means something."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
Apache-2.0
Platform
Linux, macOS, Windows
Kill Chain
Vulnerability Management / Supply Chain
MITRE ATT&CK
T1195, T1195.001

💰 Pricing Reality

Free and open source (Apache-2.0). Aqua Security (the maintainer) sells commercial features (advanced RBAC, enterprise policy, UI) on top; the scanner is unrestricted.

👥 Community Health

Stars36,866
Forks531
Contributors443
Health Score9.5/10

🏷️ Tags

Container SecurityOpen SourceFreeVulnerability Scanner

🔗 Similar Tools