Trivy

Trivy

Category: IaC Security
License: Free (Open-Source, Apache 2.0)
Visit Website →

Trivy is a comprehensive open-source security scanner by Aqua Security. With 31.3k GitHub stars, 512 contributors, and 178 releases, it is the most popular open-source security scanner by star count.

It is an all-in-one tool for scanning containers, file systems, git repositories, IaC files, and Kubernetes clusters.

What is Trivy?

Trivy (pronounced “trivvy”) is a versatile security scanner that detects vulnerabilities, misconfigurations, secrets, and license issues across multiple targets.

Originally focused on container scanning, it has evolved into a comprehensive security tool.

Trivy has absorbed tfsec (Terraform security scanner), making it the go-to open-source option for IaC security.

Key Features

Multi-Target Scanning

Trivy scans various targets:

  • Container Images - Docker, OCI images
  • File Systems - Local directories
  • Git Repositories - Remote and local repos
  • IaC Files - Terraform, CloudFormation, Kubernetes
  • Kubernetes - Clusters and workloads
  • SBOM - CycloneDX, SPDX formats

Vulnerability Detection

Comprehensive vulnerability database:

  • OS packages (Alpine, Debian, RHEL, etc.)
  • Application dependencies
  • Container base image vulnerabilities
  • Known CVEs with severity scoring

IaC Security

Inherited from tfsec and enhanced:

  • Terraform misconfigurations
  • CloudFormation security issues
  • Kubernetes manifest problems
  • Dockerfile best practices

Secret Detection

Find hardcoded secrets:

  • API keys
  • Passwords
  • Private keys
  • Cloud credentials

Installation

Homebrew (macOS/Linux)

brew install trivy

apt (Debian/Ubuntu)

sudo apt-get install trivy

Docker

docker run aquasec/trivy image alpine:latest

Usage

Container Image Scanning

# Scan a container image
trivy image alpine:3.18

# Scan with specific severity
trivy image --severity HIGH,CRITICAL nginx:latest

# Output as JSON
trivy image --format json nginx:latest

File System Scanning

# Scan current directory
trivy fs .

# Scan for vulnerabilities and secrets
trivy fs --scanners vuln,secret /path/to/project

IaC Scanning

# Scan Terraform files
trivy config ./terraform

# Scan Kubernetes manifests
trivy config ./k8s

Kubernetes Cluster

# Scan entire cluster
trivy k8s --report summary cluster

# Scan specific namespace
trivy k8s -n default --report all

CI/CD Integration

GitHub Actions

- name: Trivy Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:latest'
    format: 'sarif'
    output: 'trivy-results.sarif'

- name: Upload results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: 'trivy-results.sarif'

GitLab CI

trivy:
  stage: security
  image: aquasec/trivy:latest
  script:
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

SBOM Generation

# Generate CycloneDX SBOM
trivy image --format cyclonedx myapp:latest > sbom.json

# Generate SPDX SBOM
trivy image --format spdx-json myapp:latest > sbom.spdx.json

Configuration

Create trivy.yaml for custom settings:

# trivy.yaml
severity:
  - HIGH
  - CRITICAL

vulnerability:
  ignore-unfixed: true

misconfiguration:
  terraform:
    excluded-checks:
      - AVD-AWS-0086

Comparison with Other Tools

FeatureTrivyGrypeSnyk
LicenseApache 2.0Apache 2.0Commercial
ContainerYesYesYes
IaCYesNoYes
SecretsYesNoLimited
SBOMYesYesYes

When to Use Trivy

Trivy is ideal for:

  • Container security scanning
  • DevSecOps pipeline integration
  • Kubernetes security assessment
  • Unified security scanning (one tool for many targets)

Other IaC Security Tools

Checkov
Checkov

1000+ Policies for Terraform & K8s

KICS
KICS

Checkmarx Open-Source IaC

Kubescape
Kubescape

CNCF Project, 25k+ Users

Snyk IaC
Snyk IaC

IDE, CLI & CI/CD Integration

See all IaC Security tools