trivy
Find vulnerabilities, misconfigurations, and secrets in containers and code
Trivy is a comprehensive security scanner designed to identify vulnerabilities and security issues across multiple targets and environments. It can scan container images, filesystems, Git repositories, virtual machine images, and Kubernetes clusters to detect OS packages, software dependencies, known CVEs, infrastructure-as-code misconfigurations, secrets, and software licenses.
The tool supports most popular programming languages, operating systems, and platforms, making it versatile for diverse development environments. Trivy's modular approach allows users to specify both what they want to scan (targets) and what they want to find (scanners), providing flexibility in security assessment workflows.
Trivy is particularly valuable for DevOps teams, security engineers, and developers who need to integrate security scanning into their CI/CD pipelines or perform ad-hoc security assessments. Its extensive integration ecosystem includes GitHub Actions, Kubernetes operators, and VS Code plugins, making it easy to incorporate into existing workflows. The tool is developed by Aqua Security as an open-source project and serves as the foundation for more advanced commercial security offerings.
Installation
# via Homebrew
brew install trivy
# via Docker
docker run aquasec/trivy
# via Binary
Download binary from https://github.com/aquasecurity/trivy/releases/latest/
