trivy
Security scanner that detects vulnerabilities, secrets, and misconfigurations in containers, filesystems, git repos, VMs, and Kubernetes
Trivy is a security scanner that identifies vulnerabilities, secrets, and configuration issues across multiple target types including container images, filesystems, Git repositories, virtual machine images, and Kubernetes clusters. The tool combines multiple scanning capabilities in a single binary: vulnerability detection (CVEs), Infrastructure as Code (IaC) misconfiguration analysis, secret detection, software license identification, and Software Bill of Materials (SBOM) generation.
Trivy supports scanning OS packages and software dependencies across most popular programming languages and operating systems. It can be run as a standalone CLI tool with commands like trivy image python:3.4-alpine to scan container images or trivy fs --scanners vuln,secret,misconfig myproject/ to analyze local filesystems with specific scanner combinations. For Kubernetes environments, commands like trivy k8s --report summary cluster provide cluster-wide security assessment.
The tool integrates with development workflows through GitHub Actions, Kubernetes operators, and VS Code extensions. It's available as a Docker container (docker run aquasec/trivy), system packages, and standalone binaries, making it suitable for both local development security checks and CI/CD pipeline integration. Security teams and developers can use Trivy for container security scanning, infrastructure auditing, and compliance validation across their deployment pipeline.
Installation
# via Homebrew
brew install trivy
# via Docker
docker run aquasec/trivy
