Overview
Trivy detects three types of security issues:
- Vulnerabilities
- OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
- Misconfigurations
- Kubernetes
- Docker
- Terraform
- CloudFormation
- more coming soon
- Secrets
- AWS access key
- GCP service account
- GitHub personal access token
- etc.
Trivy can scan three different artifacts:
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See Integrations for details.