trivy: A comprehensive and versatile security scanner


Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

  • Container Image
  • Filesystem
  • Git Repository (remote)
  • Virtual Machine Image
  • Kubernetes
  • AWS

Scanners (what Trivy can find there):

  • OS packages and software dependencies in use (SBOM)
  • Known vulnerabilities (CVEs)
  • IaC issues and misconfigurations
  • Sensitive information and secrets
  • Software licenses


  • Comprehensive vulnerability detection
    • OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
    • High accuracy, especially Alpine Linux and RHEL/CentOS
  • Supply chain security (SBOM support)
    • Support CycloneDX
    • Support SPDX
  • Misconfiguration detection (IaC scanning)
    • Wide variety of security checks are provided out of the box
    • Kubernetes, Docker, Terraform, and more
    • User-defined policies using OPA Rego
  • Secret detection
    • A wide variety of built-in rules are provided out of the box
    • User-defined patterns
    • Efficient scanning of container images
  • Simple
    • Available in apt, yum, brew, dockerhub
    • No pre-requisites such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
    • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
  • Fits your workflow
    • Great for CI such as GitHub Actions, Jenkins, GitLab CI, etc.
    • Available as extension for IDEs such as vscode, jetbrains, vim
    • Available as extension for Docker Desktop, Rancher Desktop
    • See integrations section in the documentation.

Install & Use