Skip to content

Docs

Trivy detects two types of security issues:

Trivy can scan four different artifacts:

Trivy can be run in two different modes:

Trivy can be run as a Kubernetes Operator:

It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See Integrations for details.

Features

  • Comprehensive vulnerability detection
    • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
  • Detect IaC misconfigurations
    • A wide variety of built-in policies are provided out of the box:
      • Kubernetes
      • Docker
      • Terraform
      • more coming soon
    • Support custom policies
  • Simple
    • Specify only an image name, a directory containing IaC configs, or an artifact name
    • See Quick Start
  • Fast
    • The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds.
    • Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
  • Easy installation
    • apt-get install, yum install and brew install is possible (See Installation)
    • No pre-requisites such as installation of DB, libraries, etc.
  • High accuracy
    • Especially Alpine Linux and RHEL/CentOS
    • Other OSes are also high
  • DevSecOps
    • Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
    • See CI Example
  • Support multiple formats
    • container image
      • A local image in Docker Engine which is running as a daemon
      • A local image in Podman (>=2.0) which is exposing a socket
      • A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
      • A tar archive stored in the docker save / podman save formatted file
      • An image directory compliant with OCI Image Format
    • local filesystem and rootfs
    • remote git repository
  • SBOM (Software Bill of Materials) support
    • CycloneDX
    • SPDX
    • GitHub Dependency Snapshots

Please see LICENSE for Trivy licensing information.