Trivy is the most popular open-source vulnerability scanner — it scans container images, filesystems, Git repos, Kubernetes clusters, and IaC templates (Terraform, CloudFormation) for security issues.
Free, open source, by Aqua Security. Used by GitHub, GitLab, and Harbor.
Why Use Trivy?
- All-in-one scanner — containers, code, configs, secrets, licenses
- Fast — scans in seconds, not minutes
- CI/CD native — zero config in GitHub Actions, GitLab CI
- Server mode — run as HTTP service for team-wide scanning
- SBOM — generates Software Bill of Materials
Quick Setup
1. Install
# macOS
brew install trivy
# Linux
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# Docker
docker run aquasec/trivy image nginx:latest
2. Scan Container Image
# Simple scan
trivy image nginx:latest
# JSON output
trivy image -f json nginx:latest | jq '.Results[] | {Target: .Target, Vulns: (.Vulnerabilities // [] | length)}'
# Only critical/high
trivy image --severity CRITICAL,HIGH nginx:latest
# Scan and fail CI if vulnerabilities found
trivy image --exit-code 1 --severity CRITICAL my-app:latest
3. Scan Code & Dependencies
# Scan current directory
trivy fs .
# Scan for secrets
trivy fs --scanners secret .
# Scan specific file
trivy fs --scanners vuln package-lock.json
4. Scan Kubernetes Cluster
# Scan entire cluster
trivy k8s --report summary cluster
# Scan specific namespace
trivy k8s -n production --report all
# Generate SBOM for cluster
trivy k8s --format cyclonedx cluster > cluster-sbom.json
5. Server Mode (HTTP API)
# Start Trivy server
trivy server --listen 0.0.0.0:8080
# Scan via client
trivy client --remote http://localhost:8080 image nginx:latest
# Or via curl
curl -s -X POST http://localhost:8080/twirp/trivy.scanner.v1.Scanner/Scan \
-H "Content-Type: application/json" \
-d '{"target": "nginx:latest", "options": {"vuln_type": ["os", "library"]}}'
6. Scan IaC (Terraform, CloudFormation)
# Scan Terraform files
trivy config ./terraform/
# Scan with specific policy
trivy config --severity HIGH,CRITICAL ./terraform/
# Scan Dockerfile
trivy config Dockerfile
7. Generate SBOM
# CycloneDX format
trivy image --format cyclonedx nginx:latest > sbom.json
# SPDX format
trivy image --format spdx-json nginx:latest > sbom-spdx.json
CI/CD Integration
# GitHub Actions
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: my-app:${{ github.sha }}
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
Key Features
| Scanner | What It Finds |
|---|---|
| vuln | CVEs in OS packages and libraries |
| secret | API keys, passwords, tokens in code |
| config | Misconfigurations in IaC and Dockerfiles |
| license | Problematic software licenses |
| sbom | Software Bill of Materials |
Need custom data extraction or scraping solution? I build production-grade scrapers for any website. Email: Spinov001@gmail.com | My Apify Actors
Top comments (0)