Skip to main content

Trivy

Trivy is an open-source vulnerability and security scanner (security tooling) for container images, file systems, repositories, cloud infrastructure, and other artifacts maintained by Aqua Security.

  • Unified vulnerability, misconfiguration, and secret scanning across containers, file systems, Infrastructure-as-Code (IaC), and cloud environments (security tooling).
  • Supports scanning of container images, Kubernetes resources, Helm charts, file systems, Git repositories, Virtual Machine (VM) images, and registries (security tooling).
  • Detects Operating System (OS) package and application library vulnerabilities using multiple advisory sources (vulnerability management).
  • Identifies IaC and Kubernetes misconfigurations, and exposed secrets in code and configuration (cloud-native security).
  • Integrates with Continuous Integration and Continuous Deployment (CI/CD) pipelines, developer tooling, and runtime environments for automated security checks (DevSecOps enablement).

More About Trivy

Trivy is an open-source security scanner (security tooling) created and maintained by Aqua Security to inspect a range of software artifacts, including container images, file systems, repositories, VM images, and cloud-native resources. The project targets common risk areas in modern software delivery pipelines: known vulnerabilities, insecure configurations, and exposed secrets across application components and IaC. It is designed to support cloud-native, containerized, and platform engineering environments where automated and repeatable security checks are integrated into developer and operations workflows.

At its core, Trivy provides vulnerability scanning (vulnerability management) for both OS packages and application dependencies bundled into container images or present on file systems and in repositories. It uses multiple vulnerability data sources to match installed packages and libraries against known issues. Trivy also supports misconfiguration scanning (cloud-native security) for Kubernetes resources, Helm charts, and IaC definitions such as Terraform, helping teams enforce security and compliance policies across infrastructure definitions before deployment.

Another capability is secrets detection (secret scanning) in source code, configuration files, and embedded content. Trivy can identify patterns that match Application Programming Interface (API) keys, tokens, passwords, and other credentials, which reduces the risk of credential exposure in code repositories and image layers. In addition, Trivy includes modules that can evaluate cloud environments and container registries (cloud security posture management) depending on how it is deployed and configured, aligning security checks with the broader Aqua Security ecosystem where applicable.

Enterprises commonly use Trivy in CI/CD pipelines (DevSecOps automation), such as in build stages for container images and application artifacts, so that vulnerabilities or misconfigurations are detected before promotion to higher environments. Trivy also runs in developer workstations and local environments to enable pre-commit or pre-push checks, and it can be deployed in cluster or runtime contexts to scan images already in registries or used in Kubernetes clusters. Integration with orchestration platforms and registries enables scheduled or on-demand scanning for compliance and governance workflows.

From an architectural and ecosystem perspective, Trivy is implemented as a Command-Line Interface (CLI) tool (developer tooling) that can run as a standalone binary, a container, or as part of other Aqua Security components. It supports multiple artifact types, including OCI container images (container infrastructure), Kubernetes manifests, Helm charts, and various IaC formats. The project fits into categories such as vulnerability scanning, container security, cloud-native security, and DevSecOps tooling, and is often positioned alongside other security and observability tools in enterprise platform engineering and Security Operations (SecOps) portfolios.