Trivy is the worldβs most popular open-source vulnerability and misconfiguration scanner. Built by Aqua Security, it detects security issues across the entire software supply chain β container images, filesystems, Git repositories, Kubernetes clusters, and Infrastructure as Code.
Trivy scans for:
βββββββββββββββββββββββββββββββββββββββββββ
β Trivy CLI β
β ββββββββββββ ββββββββββββββββββββββββββ
Input ββββββββββΊβ β Scanner β β Detectors ββ
(image/fs/repo) β β β β - Vulnerabilities ββ
β β βββββββββ€ β - Misconfigurations ββ
β β βParser β β - Secrets ββ
β β β SBOM β β - Licenses ββ
β ββββ΄ββββββββ ββββββββββββββββββββββββββ
β β β
β ββββββββΌβββββββββββββββββββββββββββββββ β
β β Vulnerability DB (auto-updated) β β
β β NVD, GitHub Advisory, OSV, RedHat β β
β βββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββ
# macOS
brew install trivy
# Linux (Ubuntu/Debian)
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install trivy
# Docker
docker run aquasec/trivy
# Verify
trivy --version
# Scan an image for vulnerabilities
trivy image nginx:latest
# Scan only HIGH and CRITICAL
trivy image --severity HIGH,CRITICAL nginx:latest
# Output as JSON
trivy image --format json --output result.json nginx:latest
# Scan a local image
trivy image myapp:local
# Scan current directory
trivy fs .
# Scan a Git repository
trivy repo https://github.com/knqyf263/trivy-ci-test
# Scan for secrets
trivy fs --scanners secret .
# Scan IaC (Terraform, K8s manifests)
trivy config ./terraform/
# Scan entire cluster
trivy k8s --report summary cluster
# Scan a specific namespace
trivy k8s --namespace production --report all cluster
# Scan a specific workload
trivy k8s deployment/myapp
- name: Scan Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:$'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
# Generate SBOM in CycloneDX format
trivy image --format cyclonedx --output sbom.json nginx:latest
# Generate SBOM in SPDX format
trivy image --format spdx-json --output sbom.spdx.json nginx:latest
# Use custom Rego policies for IaC scanning
trivy config --policy ./policies/ ./kubernetes/
# Image scanning
trivy image <image> # Scan image
trivy image --severity HIGH,CRITICAL <image> # Filter by severity
trivy image --ignore-unfixed <image> # Skip unfixed CVEs
trivy image --format json <image> # JSON output
# Filesystem scanning
trivy fs . # Scan directory
trivy fs --scanners vuln,secret,config . # All scanners
# Config/IaC scanning
trivy config ./ # Scan IaC files
# Kubernetes
trivy k8s cluster --report summary # Cluster summary