Trivy is an open-source security scanner by Aqua Security. It scans container images, filesystems, git repositories, virtual machine images, and Kubernetes clusters for vulnerabilities, misconfigurations, secrets, and license issues. One binary, five target types, four scanner engines.
With 32.2k GitHub stars, 513+ contributors, and 178+ releases, it is the most-starred open-source security scanner on GitHub. The latest release is v0.69.1 (February 2026).
What Trivy does
Trivy started as a container vulnerability scanner. It has since absorbed tfsec (Terraform security scanner) and grown into a multi-target tool that covers most of what DevSecOps teams need from a single CLI.
The scanner works locally, in CI/CD pipelines, and as a Kubernetes operator. Written in Go, it ships as a static binary with no dependencies. Install it, point it at a target, get results.
Key features
| Feature | Details |
|---|---|
| Targets | Container images, filesystems, git repos, VM images, Kubernetes clusters, SBOMs |
| Scanners | Vulnerabilities, misconfigurations, secrets, licenses |
| OS coverage | Alpine, Debian, Ubuntu, RHEL, CentOS, Amazon Linux, SUSE, Photon, Windows |
| Language ecosystems | Go, Java, Node.js, Python, Ruby, Rust, PHP, .NET, Dart, Elixir, Swift |
| IaC types | Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, ARM, Ansible (CIS-aligned) |
| Output formats | Table, JSON, SARIF, CycloneDX, SPDX, template-based custom formats |
| SBOM generation | CycloneDX and SPDX for container images and filesystems |
| Policy engine | Rego (OPA) for custom misconfiguration checks |
| Kubernetes | Cluster scanning, workload assessment, KBOM (Kubernetes Bill of Materials) |
| Databases | trivy-db (general vulnerabilities), trivy-java-db (JAR/WAR identification) |
Container image scanning
Trivy scans Docker and OCI images for known vulnerabilities in both OS packages and application dependencies. Point it at any image reference and it pulls the layers, extracts packages, and checks them against its vulnerability database.
Results include the CVE ID, severity, installed version, fixed version (if available), and a link to the advisory. You can filter by severity to focus on HIGH and CRITICAL findings only.
IaC misconfiguration scanning
After absorbing tfsec, Trivy’s misconfiguration scanner covers Terraform, CloudFormation, Kubernetes manifests, Helm charts, Dockerfiles, ARM templates, and Ansible playbooks.
Drop your IaC files in a directory and run trivy config ./. Trivy auto-detects the file types and applies the right checks. No need to specify which IaC format you’re using.
Custom checks use Rego (the OPA policy language). Write your own rules and place them alongside the built-in check set.
AVD-AWS-0086) work in Trivy’s misconfiguration scanner. The tfsec repository now redirects users to Trivy.Kubernetes cluster scanning
Trivy scans running Kubernetes clusters directly. The trivy k8s command connects to your cluster and checks workloads for vulnerabilities, misconfigurations, and secrets.
Two report modes are available: summary gives a quick overview per namespace, and all provides the full detail for every resource. The Trivy Operator can run these scans continuously inside the cluster.
Filesystem and repository scanning
Trivy scans local directories and remote git repositories for vulnerabilities in application dependencies. It reads lock files (package-lock.json, go.sum, Gemfile.lock, requirements.txt, and others) to identify packages and check them against known CVEs.
The filesystem scanner also picks up secrets and IaC misconfigurations in the same pass. Run trivy fs --scanners vuln,secret,misconfig . to get everything at once.
Secret detection
The secret scanner uses regex patterns to find hardcoded credentials: API keys, passwords, private keys, cloud access keys, and database connection strings. It runs against any target type — container images, filesystems, or repositories.
SBOM generation
Trivy generates Software Bill of Materials in CycloneDX and SPDX formats. Useful for supply chain compliance, vulnerability tracking, and responding to incidents like Log4Shell where you need to know which images contain a specific library.
# CycloneDX format
trivy image --format cyclonedx myapp:latest > sbom.json
# SPDX format
trivy image --format spdx-json myapp:latest > sbom.spdx.json
VM image scanning
Trivy also scans virtual machine images. Amazon Machine Images (AMIs) and other VM formats go through the same vulnerability database used for container scanning.
Getting started
brew install trivy), apt (sudo apt-get install trivy), Docker (docker run aquasec/trivy), or download the binary from GitHub releases. Available for Linux, macOS, and Windows.trivy image nginx:latest to check a container image for vulnerabilities. Add --severity HIGH,CRITICAL to filter results.trivy config ./terraform/ to check Terraform files for misconfigurations. Trivy auto-detects the IaC type.trivy k8s --report summary cluster to assess all workloads in your cluster.trivy image --format cyclonedx myapp:latest > sbom.json to produce a CycloneDX bill of materials.CI/CD integration
Trivy fits into any CI/CD pipeline. The official GitHub Action (aquasecurity/trivy-action) handles container image and IaC scanning with SARIF output for GitHub Code Scanning.
For GitLab CI, the Docker image runs in a security stage. Jenkins and CircleCI work through the CLI binary. Exit codes control whether builds pass or fail: set --exit-code 1 with --severity HIGH,CRITICAL to fail on serious findings only.
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest to fail CI builds only when HIGH or CRITICAL vulnerabilities are found. This avoids blocking deployments over LOW/MEDIUM findings that can be addressed later.Integrations
GitHub Actions
GitLab CI
CircleCI
Jenkins
Docker Hub
GitHub Container Registry
Amazon ECR
Google Artifact Registry
Kubernetes Operator
Harbor
AWS Security HubConfiguration
Create a trivy.yaml file to set defaults:
severity:
- HIGH
- CRITICAL
vulnerability:
ignore-unfixed: true
misconfiguration:
terraform:
exclude-downloaded-modules: true
# To skip specific checks, use a .trivyignore file:
# Create .trivyignore with check IDs (one per line):
# AVD-AWS-0086
# Or use CLI: trivy config --skip-checks AVD-AWS-0086 .
The ignore-unfixed option hides vulnerabilities with no available patch. Useful for reducing noise in reports when you can only act on fixable issues.
Individual findings can be suppressed with a .trivyignore file listing CVE IDs or check IDs, one per line.
When to use Trivy
Trivy works well when you want a single scanner that handles containers, IaC, secrets, and dependencies without stitching together separate tools. Getting all of that from one binary is why most teams reach for it first.
It’s the default scanner in Harbor (the CNCF container registry) and has integrations with GitLab, AWS Security Hub, and the Kubernetes operator ecosystem. If you’re already in that stack, Trivy slots in with minimal setup.
For IaC-specific scanning with a larger policy library, Checkov or KICS offer more checks and compliance framework mappings. For commercial support and curated fix recommendations, Snyk IaC is worth evaluating. But if you want one open-source tool that does most of the job, Trivy is the obvious starting point.
For a broader view of IaC security strategy, see our cloud infrastructure security guide. Browse other IaC security tools to compare options.
