Open-Source Wikis

/

Trivy

/

Trivy

aquasecurity/trivy

Trivy

Trivy is an open-source security scanner that finds vulnerabilities, misconfigurations, secrets, and license issues across container images, filesystems, Git repositories, virtual machine images, Kubernetes clusters, and cloud accounts. It is written in Go, distributed as a single static binary, and used both as a developer-facing CLI and as a long-running server in CI/CD and platform deployments.

What Trivy does

Trivy organizes its work along two axes:

  • Targets — what you scan: container images, filesystems, Git repositories, virtual machine images, Kubernetes clusters, AWS resources, and SBOM files.
  • Scanners — what gets detected: known vulnerabilities (CVEs) in OS packages and language dependencies, infrastructure-as-code misconfigurations, hard-coded secrets, and software licenses.

The CLI dispatches a target to a series of analyzers (filesystem inspection), then runs the requested scanners against the discovered packages and configuration files, then assembles a types.Report that can be rendered as a table, JSON, SARIF, CycloneDX, SPDX, GitHub dependency snapshot, or a custom Go template.

Who uses Trivy

  • Developers running trivy fs . or trivy image my/app:latest locally before pushing.
  • CI pipelines invoking Trivy as a step (GitHub Actions, GitLab, Jenkins) and consuming SARIF, JSON, or table output.
  • Platform teams deploying the Trivy Operator or the Trivy server to scan Kubernetes clusters and registries continuously.
  • SBOM workflows generating or scanning CycloneDX/SPDX files via trivy sbom.

Repository at a glance

Area Path What lives here
CLI entry point cmd/trivy/main.go func main() — exit handling and plugin dispatch
Command tree pkg/commands/ Cobra commands: image, fs, repo, k8s, sbom, vm, server, client, convert, clean, module, plugin, vex, auth, registry, config, version
File analysis pkg/fanal/ The fanal subsystem — analyzers, artifact handlers, walkers, image readers
Scan service pkg/scan/ The scan service that orchestrates local or remote backends
IaC scanners pkg/iac/ Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Ansible parsers and rule engine
Misconfiguration pkg/misconf/ Bridge between fanal and the IaC scanners
Secrets pkg/fanal/secret/ Built-in secret rules and matcher
Reports pkg/report/ Table, JSON, SARIF, CycloneDX, SPDX, template, GitHub renderers
Cache & DB pkg/cache/, pkg/db/, pkg/javadb/ Filesystem/Redis cache, Trivy DB and Java DB clients
Plugin runtime pkg/plugin/ Plugin manager and index
WASM modules pkg/module/ WebAssembly module support for custom analyzers
RPC pkg/rpc/, rpc/ Twirp-generated client/server for trivy server
Kubernetes pkg/k8s/ The trivy k8s command, scanner, and report writer
Flags pkg/flag/ The flag system used by every command
VEX pkg/vex/ Vulnerability Exploitability eXchange filtering
Integration tests integration/ End-to-end tests with golden files
Documentation site docs/ The MkDocs source for trivy.dev/docs

For deeper explanations of each area, follow the links above or browse the wiki sidebar.

License

Trivy is Apache 2.0 licensed (LICENSE) and maintained by Aqua Security.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Trivy – Trivy wiki | Factory