IT Get in touch

Trivy: universal security scanner for containers and IaC

Trivy (May 2019) by Aqua Security (Teppei Fukuda): security scanner for containers, filesystem, IaC (Terraform, K8s, Dockerfile), Git repositories. CVE detection, misconfiguration, secrets. Open source scanning standard.

Open SourceCyber Security
Open SourceCyber Security TrivyAqua SecurityContainer SecurityCVEIaC ScanningOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Shift-left security

Supply chain security (2020+, post-SolarWinds, post-Log4Shell) mandates systematic scanning of containers, dependencies, IaC before deploy. Early tools (Clair, Anchore) are specialist and complex. A single-binary tool with simple UX and high accuracy is needed.

The release

Trivy is published by Teppei Fukuda in 2019, soon acquired by Aqua Security. First stable release May 2019. Apache 2.0 licence. Written in Go, single binary ~40 MB.

What it scans

  • Container images (Docker, OCI) — OS + language CVEs
  • Filesystem — local directory scanning
  • Git repositories — source code scanning
  • Kubernetes clusters — running pods, manifests
  • IaC — Terraform, CloudFormation, Kubernetes YAML, Dockerfile, Helm, Ansible
  • SBOM — CycloneDX, SPDX reading
  • VM images — AMI, QCOW2

Vulnerability categories

  • OS packages — apt, yum, apk, rpm CVE from NVD, CERT, GitHub Security Advisory
  • Language dependencies — npm, pip, gem, Maven, Go modules, Composer, Cargo, NuGet
  • Misconfiguration — problematic YAML/HCL policies
  • Secrets — committed API keys, tokens, passwords (like gitleaks)
  • Licenses — licence of each dependency (legal compliance)
trivy image nginx:latest
trivy fs --scanners vuln,secret,config ./
trivy k8s --report summary cluster
trivy sbom ./sbom.spdx.json

Integration

  • CI/CD — GitHub Actions, GitLab CI, Jenkins, CircleCI
  • Kubernetes operator — Trivy Operator (continuous scanning)
  • Admission controller — via Kyverno image verification
  • Harbor registry — integrated as default scanner
  • OCI compliance — SBOM generation + signing

Versions

  • 0.1 (May 2019) — first release
  • 0.20 (2021) — IaC scanning
  • 0.30 (2022) — K8s scanning
  • 0.40 (2023) — SBOM + VEX
  • 0.50+ (2024-2025) — misconfig standardisation, improved policies

Competitors

  • Grype (Anchore, OSS) — similar approach
  • Clair (CoreOS/Red Hat) — veteran, less user-friendly
  • Docker Scout (Docker Inc) — part of Docker Desktop
  • Snyk — commercial, scanning + remediation
  • Wiz, Aqua Platform, Prisma Cloud — enterprise suites
  • Twistlock (Palo Alto) — commercial

In the Italian context

Trivy is ubiquitously present in Italian CI/CD pipelines:

  • Banks — mandatory pre-deploy scan (ISO 27001, PCI DSS)
  • Digital PA — AgID security guidelines requirement
  • B2B SaaS — container supply chain validation
  • PSD2 Fintech — regulatory scanning
  • MSPs — managed security offerings with Trivy + Harbor
  • GitLab CI templates integrated with Trivy as default step

References: Trivy (May 2019). Aqua Security (Teppei Fukuda). Apache 2.0 licence. Written in Go. Single binary. Container, filesystem, Git, K8s, IaC, SBOM scanning. Harbor registry integration.

Need support? Under attack? Service Status
Need support? Under attack? Service Status