aquasecurity/trivy
By the numbers
Data collected on 2026-04-30 from the local checkout at commit 99eabdf3a.
Size
Trivy is overwhelmingly a Go codebase. The repository tracks roughly 264,000 lines of Go across 1,710 .go files (626 of which are test files), plus a sizable MkDocs documentation site and a small set of Helm charts and Mage scripts.
xychart-beta horizontal
title "Source code by language (lines)"
x-axis ["Go (src)", "Go (test)", "Markdown (docs)", "YAML/HCL (testdata)", "Proto/RPC", "Helm chart"]
y-axis "Lines" 0 --> 200000
bar [180000, 84000, 70000, 25000, 8000, 3500]Numbers are approximate counts derived from
find+wc -lrounded to the nearest thousand. Test data fixtures are excluded from the per-language totals.
| Metric | Value |
|---|---|
Total .go files |
1,710 |
Test files (*_test.go) |
626 |
| Total Go lines | ~264,800 |
Top-level packages under pkg/ |
47 |
Subdirectories under pkg/iac/ |
14 |
| Languages with package analyzers | 16 |
| OS distributions with detectors | 17 |
| Cloud / IaC providers covered | 13 |
.github/workflows/ workflows |
23 |
Largest source files
| File | Lines |
|---|---|
rpc/common/service.pb.go |
3,466 |
pkg/iac/scanners/terraform/parser/parser_test.go |
2,926 |
pkg/fanal/artifact/local/fs_test.go |
2,665 |
pkg/dependency/parser/java/pom/parse_test.go |
2,630 |
pkg/sbom/cyclonedx/marshal_test.go |
2,441 |
pkg/fanal/artifact/image/image_test.go |
2,205 |
rpc/cache/service.twirp.go |
1,986 |
pkg/fanal/secret/scanner_test.go |
1,976 |
pkg/sbom/io/encode_test.go |
1,774 |
The biggest non-generated source files are concentrated in pkg/iac/scanners/terraform/, pkg/fanal/secret/, and pkg/sbom/. Generated RPC stubs (*.pb.go, *.twirp.go) dominate the absolute top of the list and are committed rather than regenerated on every build.
Activity
Trivy has had about 4,028 commits on main and ~733 commits in the last 12 months (rolling). 626 commits landed in 2025 alone. Recent monthly activity:
| Month | Commits |
|---|---|
| 2024-09 | 53 |
| 2024-10 | 59 |
| 2024-11 | 62 |
| 2024-12 | 47 |
| 2025-01 | 42 |
| 2025-02 | 38 |
| 2025-03 | 61 |
| 2025-04 | 50 |
| 2025-05 | 60 |
| 2025-06 | 41 |
| 2025-07 | 73 |
| 2025-08 | 35 |
| 2025-09 | 46 |
| 2025-10 | 60 |
| 2025-11 | 46 |
| 2025-12 | 40 |
| 2026-01 | 48 |
| 2026-02 | 33 |
| 2026-03 | 30 |
| 2026-04 | 30 |
Activity has been remarkably steady at 30–60 commits per month for several years, with periodic bumps when major refactors land. The spike in mid-2025 corresponds to dependency churn around the Go modules upgrade and the IaC engine merge from the former tfsec/defsec projects.
Bot-attributed commits
Co-author trailers indicate bot involvement on roughly 295 commits (about 7.3% of all commits). Most of those are dependabot[bot] (545 author-attributed commits include dependabot as the primary author). This is a lower bound on AI- and automation-assisted work because inline assistants leave no git trace; bots that author rather than co-author commits add another layer.
Contributors
The repo currently has 559 unique author identities in git log (including bots). The codebase has a clearly identifiable core team:
| Identity | Notes |
|---|---|
Teppei Fukuda (knqyf263) |
Original author and the most prolific committer; current maintainer |
DmitriyLewen |
Long-tail vulnerability and language-analyzer contributor |
dependabot[bot] |
Automated dependency updates |
Nikita Pivkin (nikpivkin) |
IaC scanner maintainer |
afdesk |
OS detector and DB plumbing |
simar7 |
CI, release, and SBOM areas |
chenk |
Kubernetes scanner |
Owen Rumney |
IaC engine (formerly tfsec lead) |
Per the wiki conventions this page does not break down per-contributor metrics further. Subsystem ownership is summarized on
maintainers.md; per-page contributor bylines list the active humans for a given area.
Tests
| Metric | Value |
|---|---|
*_test.go files |
626 |
| Test-to-source ratio | ~36% (test files / source files) |
| Integration tests | integration/ — 14 *_test.go files (~17,000 lines) |
| Build tags | integration, module_test, vm_integration |
| CI matrix | .github/workflows/test.yaml runs unit, integration, module, and lint jobs |
Complexity
| Metric | Value |
|---|---|
| Largest package by file count | pkg/fanal/analyzer/language/ — language-specific analyzers (16 subdirs) |
| Deepest nesting | pkg/iac/providers/aws/<service>/<...> (3-4 levels for AWS resources) |
| Longest single source file (non-generated) | pkg/iac/scanners/terraform/parser/parser_test.go — 2,926 lines |
| TODO/FIXME/HACK markers | ~139 across all .go files |
Generated code (rpc/common/service.pb.go, rpc/cache/service.twirp.go, etc.) sits at the top of any line-count ranking but is regenerated mechanically and not maintained by hand.
Where to dig in next
- See lore for how the codebase grew from a small Alpine vulnerability scanner to a multi-target platform.
- See maintainers for the subsystem ownership table.
- See systems/fanal for the largest single subsystem in the repo.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.