Trivy

Trivy is a comprehensive, all-in-one security scanner built by Aqua Security and released under the Apache 2.0 license. Written in Go and distributed as a single static binary, Trivy requires no database daemons, external services, or complex configuration — a single trivy image command scans a container image and produces a vulnerability report in seconds. This zero-friction design has made it the most widely adopted open-source container scanner, with over 24,000 GitHub stars and native integration into Docker Desktop, Harbor registry, and major Kubernetes platforms.

Trivy’s scanning scope extends well beyond containers. It analyses operating system packages (Alpine, Debian, RHEL, Ubuntu, and others), language-specific dependency manifests (npm, pip, Go modules, Maven, Cargo, and more), Infrastructure as Code definitions (Terraform, CloudFormation, Ansible, Docker), and Kubernetes cluster configurations. Vulnerability data is sourced from multiple advisory databases — NVD, GitHub Security Advisories, and OS vendor trackers — and cached locally for offline scanning. The secret scanner runs across all targets, detecting hardcoded credentials, private keys, and API tokens using pattern matching and entropy analysis.

For enterprise and DevSecOps workflows, Trivy generates output in SARIF, JSON, table, and CycloneDX/SPDX SBOM formats, integrating cleanly with GitHub Advanced Security, GitLab dependency scanning, and SIEM platforms. Kubernetes operators can deploy Trivy Operator (formerly Starboard) for continuous in-cluster scanning that automatically produces VulnerabilityReport and ConfigAuditReport custom resources. The combination of breadth, speed, and simplicity has positioned Trivy as the default scanner in many container-native CI/CD pipelines.