aquasecurity/trivy
Features
The "features" lens groups Trivy's user-visible capabilities. Each capability typically spans several systems — the vulnerability scanning feature, for example, touches fanal, the scan service, the database, and the report writers. The pages here explain capabilities end-to-end so you can follow a request from CLI flag to rendered output.
Pages
- Vulnerability scanning — the flagship feature: CVE detection in OS packages and language dependencies.
- Misconfiguration scanning — IaC engine, Rego rules, AVD identifiers.
- IaC scanning — Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Ansible, ARM, plan files.
- Secret scanning — built-in regex rules and custom configurations.
- License scanning — license classifier and policies.
- SBOM — produce and consume CycloneDX/SPDX SBOMs.
- VEX — filter findings against Vulnerability Exploitability eXchange statements.
- Kubernetes scanning —
trivy k8sand the operator integration. - Cloud scanning — IaC providers for AWS, Azure, GCP, and others.
Most features select scanners through the --scanners flag (vuln,misconfig,secret,license) and pick formats through --format. Cross-cutting concerns like VEX live alongside features rather than in the systems section because they shape the user-visible report.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.