Docs
Trivy detects two types of security issues:
Trivy can scan four different artifacts:
Trivy can be run in two different modes:
Trivy can be run as a Kubernetes Operator:
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See Integrations for details.
Features
- Comprehensive vulnerability detection
- OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
- Detect IaC misconfigurations
- A wide variety of built-in policies are provided out of the box:
- Kubernetes
- Docker
- Terraform
- more coming soon
- Support custom policies
- A wide variety of built-in policies are provided out of the box:
- Simple
- Specify only an image name, a directory containing IaC configs, or an artifact name
- See Quick Start
- Fast
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
- Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
- Easy installation
apt-get install
,yum install
andbrew install
is possible (See Installation)- No pre-requisites such as installation of DB, libraries, etc.
- High accuracy
- Especially Alpine Linux and RHEL/CentOS
- Other OSes are also high
- DevSecOps
- Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- See CI Example
- Support multiple formats
- container image
- A local image in Docker Engine which is running as a daemon
- A local image in Podman (>=2.0) which is exposing a socket
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the
docker save
/podman save
formatted file - An image directory compliant with OCI Image Format
- local filesystem and rootfs
- remote git repository
- container image
- SBOM (Software Bill of Materials) support
- CycloneDX
- SPDX
Please see LICENSE for Trivy licensing information.