← All open source projects

Trivy

aquasecurity/trivy

Trivy is a scanner for vulnerabilities, secrets, and misconfigurations across containers, Kubernetes, and code.

GitHub · 36,627 stars Project website
Forks 499
Author aquasecurity
Language Go
License Apache-2.0
Synced 2026-06-27

What it is

Trivy is a security scanner for containers and infrastructure code. It became noticeable because container security became an everyday development task, not a rare separate audit.

Images and configurations can hide vulnerable packages, secrets, weak settings, and mistakes that are hard to see manually. The project is best understood not as an abstract repository, but as a concrete answer to a working problem.

In short: Trivy checks container images, repositories, configurations, Kubernetes resources, SBOMs, and secrets to find risks before release. If the task matches that shape, the project can provide a fast start without rebuilding the base infrastructure from scratch.

What is inside

The repository contains Go scanner code, rule databases, package checks, Kubernetes configuration checks, secret scanning, SBOM support, tests, and documentation.

Trivy combines several kinds of checks in one command so teams can embed security into the normal build cycle. This matters when evaluating the project: it shows which parts are ready, where the core logic lives, and how easy extension may be.

The main technical layer is connected with Go. For a team, this hints at dependencies, environment, and skills needed for adoption or study.

How it is used

It is used in CI, local checks, container registries, Kubernetes clusters, and release preparation.

A good start is scanning one image and repository, then adding severity thresholds and clear exception rules.

A good first step is a small real scenario end to end: installation, minimal setup, one result, quality check, and notes on limits. That quickly shows where Trivy helps immediately and where extra work is needed.

After the first run, the working configuration, input data, and expected result should be written down. That turns the first look at Trivy into a reproducible check rather than a one-off demo impression.

Why it stands out

The strength is broad check coverage with a simple command model.

It stands out because containers and Kubernetes need fast repeatable security checks.

Popularity matters here not as a separate achievement, but as a signal that the problem is familiar to many people. Projects like this last when they provide a clear path from first check to regular use.

Limits

The limitation is that a scanner shows risk but does not replace patching, threat modeling, and ownership of fixes.

Teams need to update databases, record exception rules, and track who closes findings.

Even a strong open source project is still a dependency. It needs updates, understanding, documented local settings, and a rollback path if a new version changes behavior.

That makes the project page a starting point for technical evaluation: understand the purpose, repeat a small example, and only then decide whether Trivy belongs in regular work.

Example

Container image scan

This example shows a basic Trivy run: check an image before publishing or deployment.

Language: Bash 
trivy image my-app:latest
trivy fs .