Open-Source Wikis

/

Trivy

/

Features

aquasecurity/trivy

Features

The "features" lens groups Trivy's user-visible capabilities. Each capability typically spans several systems — the vulnerability scanning feature, for example, touches fanal, the scan service, the database, and the report writers. The pages here explain capabilities end-to-end so you can follow a request from CLI flag to rendered output.

Pages

  • Vulnerability scanning — the flagship feature: CVE detection in OS packages and language dependencies.
  • Misconfiguration scanning — IaC engine, Rego rules, AVD identifiers.
  • IaC scanning — Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Ansible, ARM, plan files.
  • Secret scanning — built-in regex rules and custom configurations.
  • License scanning — license classifier and policies.
  • SBOM — produce and consume CycloneDX/SPDX SBOMs.
  • VEX — filter findings against Vulnerability Exploitability eXchange statements.
  • Kubernetes scanningtrivy k8s and the operator integration.
  • Cloud scanning — IaC providers for AWS, Azure, GCP, and others.

Most features select scanners through the --scanners flag (vuln,misconfig,secret,license) and pick formats through --format. Cross-cutting concerns like VEX live alongside features rather than in the systems section because they shape the user-visible report.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Features – Trivy wiki | Factory