IT Get in touch

Trivy: universal security scanner for containers and IaC

Trivy (May 2019) by Aqua Security (Teppei Fukuda): security scanner for containers, filesystem, IaC (Terraform, K8s, Dockerfile), Git repositories. CVE detection, misconfiguration, secrets. Open Source scanning standard.

Open SourceCybersecurity
Open SourceCybersecurity TrivyAqua SecurityContainer SecurityCVEIaC ScanningOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Shift-left security

Supply chain security is becoming a priority in DevOps environments: systematic scanning of containers, dependencies and IaC before deploy. Early tools (Clair, Anchore) are specialist and complex. A single-binary tool with simple UX and high accuracy is needed.

The release

Trivy is published by Teppei Fukuda in 2019, soon acquired by Aqua Security. First stable release May 2019. Apache 2.0 licence. Written in Go, single binary ~40 MB.

What it scans

  • Container images (Docker, OCI) — OS + language CVEs
  • Filesystem — local directory scanning
  • Git repositories — source code scanning
  • Kubernetes clusters — running pods, manifests
  • IaC — Terraform, CloudFormation, Kubernetes YAML, Dockerfile, Helm, Ansible
  • SBOM — CycloneDX, SPDX reading
  • VM images — AMI, QCOW2

Vulnerability categories

  • OS packages — apt, yum, apk, rpm CVE from NVD, CERT, GitHub Security Advisory
  • Language dependencies — npm, pip, gem, Maven, Go modules, Composer, Cargo, NuGet
  • Misconfiguration — problematic YAML/HCL policies
  • Secrets — committed API keys, tokens, passwords (like gitleaks)
  • Licenses — licence of each dependency (legal compliance)
trivy image nginx:latest
trivy fs --scanners vuln,secret,config ./
trivy k8s --report summary cluster
trivy sbom ./sbom.spdx.json

Integration

  • CI/CD — GitHub Actions, GitLab CI, Jenkins, CircleCI
  • Kubernetes operator — Trivy Operator (continuous scanning)
  • Admission controller — via Kyverno image verification
  • Harbor registry — integrated as default scanner
  • OCI compliance — SBOM generation + signing

Competitors

  • Grype (Anchore, OSS) — similar approach
  • Clair (CoreOS/Red Hat) — veteran, less user-friendly
  • Docker Scout (Docker Inc) — part of Docker Desktop
  • Snyk — commercial, scanning + remediation
  • Wiz, Aqua Platform, Prisma Cloud — enterprise suites
  • Twistlock (Palo Alto) — commercial

In the Italian context

Trivy is rapidly entering Italian CI/CD pipelines: banks, digital PA, B2B SaaS, PSD2 fintech, MSPs with managed security offerings. It integrates naturally with Harbor registry and with GitLab CI as a default step in new templates.

References: Trivy (May 2019). Aqua Security (Teppei Fukuda). Apache 2.0 licence. Written in Go. Single binary. Container, filesystem, Git, IaC scanning. Harbor registry integration.

Need support? Under attack? Service Status
Need support? Under attack? Service Status