trivy
by aquasecurity
Trivy is a comprehensive security scanner that detects vulnerabilities, misconfigurations, secrets, and generates SBOMs across containers, Kubernetes, code repositories, and cloud environments.
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Primary Use Case
Trivy is primarily used by developers, DevOps, and security teams to identify security risks in container images, filesystems, Kubernetes clusters, and code repositories before deployment. It helps ensure software supply chain security by scanning for vulnerabilities, misconfigurations, and sensitive information across various environments.
- Scans container images, filesystems, Git repositories, VM images, and Kubernetes clusters
- Detects OS packages and software dependencies (SBOM generation)
- Finds known vulnerabilities (CVEs) across multiple platforms
- Identifies Infrastructure as Code (IaC) misconfigurations
- Detects sensitive information and secrets
- Supports scanning software licenses
- Integrates with popular platforms like GitHub Actions, Kubernetes operators, and VS Code
- Available via multiple distribution channels including Homebrew, Docker, and binaries
Installation
- brew install trivy
- docker run aquasec/trivy
- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
Usage
>_ trivy image python:3.4-alpineScan a container image for vulnerabilities and other security issues
>_ trivy fs --scanners vuln,secret,misconfig myproject/Scan a filesystem directory for vulnerabilities, secrets, and misconfigurations
>_ trivy k8s --report summary clusterScan a Kubernetes cluster and generate a summary report
- Integrate Trivy scans into CI/CD pipelines for automated vulnerability and misconfiguration detection before deployment.
- Use Trivy's Kubernetes operator to continuously monitor cluster security posture and detect drift or misconfigurations.
- Leverage secret detection capabilities to prevent accidental leakage of credentials in code repositories.
- Combine Trivy SBOM generation with software supply chain security tools to enhance transparency and compliance.
- Employ Trivy in purple team exercises to simulate attacker reconnaissance and improve detection capabilities.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about trivy. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
oss-fuzz
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.
grype
anchore/grype
A vulnerability scanner for container images and filesystems