Take control of your application security with Trivy

Trivy is the world’s most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

Try it now! Scan an image:
Apache-2.0 License
What's new with trivy?
Get unlimited container image scanning in Docker Desktop with trivy!
Hear it from the community!
Trivy is trusted by professionals as their scanner of choice. With 30 Million downloads and counting, it is the first and only open source vulnerability scanner to reach 10 thousand stars on GitHub
Artifact Hub
Thanks to the latest Trivy release Artifact Hub is now able to scan Go binaries and Java archives (JAR, WAR, EAR) for security vulnerabilities.
"Trivy was a clear leader in the market as far as features, functionality, and capabilities"
Sam White, Sr. Product Manager
Ariadne Conill, Alpine Security
...in terms of practical remediation, trivy is the best scanner.  it only shows you actionable information.  it doesn't speculate.  it doesn't make you set up a bunch of infrastructure.
“Trivy takes container image scanning to higher levels of usability and performance. With frequent feature and vulnerability database updates and its comprehensive vulnerability scanning, it is the perfect complement to Harbor. In fact, we made it the default scanner option for Harbor registry users.”
Michael Michael, Harbor maintainer, Dir. of Product Management
“After evaluating several leading options for open source vulnerability scanning, Trivy really stood out”
Milind Gadre, VP of Engineering
Jerry Gambli
The way the @AquaSecTeam team has turned Trivy into the best open-source vulnerability scanner in such a short time is really amazing.
"Trivy is considered by many to be the most reliable scanner for Alpine systems ... I have to recommend either trivy or grype ... I would recommend trivy over grype"
Ariadne Conill, Alpine Security Chair
Ariadne Conill
Artifact Hub
Artifact Hub now displays a security report for the images used by a package. The report is accessible from the package detail view, when available. Powered by Trivy, from @AquaSecTeam :)
Ariadne Conill, Alpine Security
...the tl;dr is basically Aqua's Trivy is the best one, all of the other ones are a waste of time
"It was a comparison between docker scan, trivy and the IBM scanner. Trivy and docker scan caught quite a bit more than the IBM scanner and Trivy was significantly faster with output that was quite a bit more readable. I also had some rate limiting issues with Docker which won't occur with Trivy given that it runs locally."
Brian Avery
Jonathan Yu
I'm really loving how @AquaSecTeam's open source Trivy tool scans the dependency manifests embedded *inside* Go binaries to detect vulnerable transitive dependencies. Really well-designed and underrated tool, IMO!
Damian Naprawa
So happy to see collaboration between @Azure and @AquaSecTeam on scanning container images in Azure Container Registry CI/CD workflows using such a great tool – Trivy.
"According to the radar team findings, some of the very promising tools available include Cilium, Linkerd, and Trivy. Such tools are good at solving at least one problem, but there is room for consolidation."
Mostafa Radwan
DevOps Editor
Richard Hooper
I love Trivy.
Johannes Tegnér
Aqua does very nice stuff, been messing with their Trivy echo-system for a while, great tool for scanning! :)

Comprehensive Coverage 

Trivy detects vulnerabilities from a wide array of operating systems and programming languages, across different versions, and vulnerability sources.

Learn More

Infrastructure as Code scanning

Detect common misconfigurations with Trivy, using the same familiar tool and workflow that you already have in place for vulnerabilities. Trivy scans Terraform, CloudFormation, Docker, Kubernetes, and many other IaC configuration files for security issues right alongside vulnerabilities. Trivy IaC is brought to you by the team behind the popular tfsec project.

IaC security with Trivy

Easily run everywhere

Trivy is a single binary with no dependencies! There’s no database to maintain, no external tools it relies on, no runtime requirements whatsoever. Every OS and CPU are supported, just download and run the binary, or find Trivy in your favorite package management tool. Cold run scans take seconds, and recurring runs are instantaneous.

Versatile to fit your needs

Trivy scans local and remote container images, supports multiple container engines, as well as archived and extracted images. It works on raw filesystem and remote git repositories. With Trivy, you can scan whenever and wherever you need to.

Truly Open Source

Licensed under the permissive Apache 2.0 software license, Trivy is totally free to use. Use it, fork it, spread it – we’re good with it. Industry leading vendors are using Trivy to power their services. How will you use Trivy?

More from Aqua open source
Open source developer-oriented security tools, driving security innovation in the Cloud Native community
Runtime Security using eBPF
Tracee uses Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.
Kubernetes security assessment
Starboard Kubernetes operator continuously scans your Kubernetes cluster and workloads for security issues and presents a unified report for the state of your security posture.