The all-in-one open source security scanner

Trivy is the most popular open source security scanner, reliable, fast, and easy to use. Use Trivy to find vulnerabilities & IaC misconfigurations, SBOM discovery, Cloud scanning, Kubernetes security risks,and more.

Get Trivy
Apache-2.0 License
What's new with trivy?
A new version of Trivy is released every month! Check out the highlights from latest release
Hear it from the community!
Trivy is praised by professionals from organizations worldwide. Are you a Trivy fan as well? We’d love to hear from you!
Artifact Hub
Thanks to the latest Trivy release Artifact Hub is now able to scan Go binaries and Java archives (JAR, WAR, EAR) for security vulnerabilities.
"Trivy was a clear leader in the market as far as features, functionality, and capabilities"
Sam White, Sr. Product Manager
Ariadne Conill, Alpine Security
@ariadneconill terms of practical remediation, trivy is the best scanner.  it only shows you actionable information.  it doesn't speculate.  it doesn't make you set up a bunch of infrastructure.
“Trivy takes container image scanning to higher levels of usability and performance. With frequent feature and vulnerability database updates and its comprehensive vulnerability scanning, it is the perfect complement to Harbor. In fact, we made it the default scanner option for Harbor registry users.”
Michael Michael, Harbor maintainer, Dir. of Product Management
“After evaluating several leading options for open source vulnerability scanning, Trivy really stood out”
Milind Gadre, VP of Engineering
Jerry Gambli
The way the @AquaSecTeam team has turned Trivy into the best open-source vulnerability scanner in such a short time is really amazing.
"Trivy is considered by many to be the most reliable scanner for Alpine systems ... I have to recommend either trivy or grype ... I would recommend trivy over grype"
Ariadne Conill, Alpine Security Chair
Ariadne Conill
Artifact Hub
Artifact Hub now displays a security report for the images used by a package. The report is accessible from the package detail view, when available. Powered by Trivy, from @AquaSecTeam :)
Ariadne Conill, Alpine Security
...the tl;dr is basically Aqua's Trivy is the best one, all of the other ones are a waste of time
"It was a comparison between docker scan, trivy and the IBM scanner. Trivy and docker scan caught quite a bit more than the IBM scanner and Trivy was significantly faster with output that was quite a bit more readable. I also had some rate limiting issues with Docker which won't occur with Trivy given that it runs locally."
Brian Avery
Jonathan Yu
I'm really loving how @AquaSecTeam's open source Trivy tool scans the dependency manifests embedded *inside* Go binaries to detect vulnerable transitive dependencies. Really well-designed and underrated tool, IMO!
Damian Naprawa
So happy to see collaboration between @Azure and @AquaSecTeam on scanning container images in Azure Container Registry CI/CD workflows using such a great tool – Trivy.
"According to the radar team findings, some of the very promising tools available include Cilium, Linkerd, and Trivy. Such tools are good at solving at least one problem, but there is room for consolidation."
Mostafa Radwan
DevOps Editor
Richard Hooper
I love Trivy.
Johannes Tegnér
Aqua does very nice stuff, been messing with their Trivy echo-system for a while, great tool for scanning! :)

Comprehensive Coverage 

Trivy detects vulnerabilities from a wide array of operating systems and programming languages, across different versions, and vulnerability sources.

Learn More

Infrastructure as Code scanning

Detect common misconfigurations with Trivy, using the same familiar tool and workflow that you already have in place for vulnerabilities. Trivy scans Terraform, CloudFormation, Docker, Kubernetes, and many other IaC configuration files for security issues right alongside vulnerabilities. Trivy IaC is brought to you by the team behind the popular tfsec project.

IaC security with Trivy

Easily run everywhere

Trivy is a single binary with no dependencies! There’s no database to maintain, no external tools it relies on, no runtime requirements whatsoever. Every OS and CPU are supported, just download and run the binary, or find Trivy in your favorite package management tool. Cold run scans take seconds, and recurring runs are instantaneous.

Versatile to fit your needs

Trivy scans local and remote container images, supports multiple container engines, as well as archived and extracted images. It works on raw filesystem and remote git repositories. With Trivy, you can scan whenever and wherever you need to.

Truly Open Source

Licensed under the permissive Apache 2.0 software license, Trivy is totally free to use. Use it, fork it, spread it – we’re good with it. Industry leading vendors are using Trivy to power their services. How will you use Trivy?

More from Aqua open source
Open source developer-oriented security tools, driving security innovation in the Cloud Native community
Runtime Security using eBPF
Tracee uses Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.