aquasecurity/trivy
Vulnerability scanning
Active contributors: knqyf263, DmitriyLewen, afdesk
Purpose
Vulnerability scanning is Trivy's flagship feature. It detects known CVEs in:
- OS packages (Alpine, Debian, Ubuntu, RHEL, Rocky, Alma, Oracle, Amazon Linux, SUSE, Photon, Bottlerocket, CBL-Mariner, Wolfi, Chainguard).
- Language dependencies (Maven/Gradle, npm/yarn/pnpm/bun, pip/pipenv/poetry/uv, Go modules and binaries, Bundler, Cargo, NuGet, Composer, Conan, CocoaPods/Swift, Dart, Mix, Julia).
- Standalone binaries when they embed dependency metadata (Go binaries, Rust binaries, JARs).
Vulnerability data comes from the Trivy DB, which aggregates NVD, GitHub Security Advisories, distro-specific feeds (Red Hat, Debian, Ubuntu USN, Alpine secdb, etc.), and language-ecosystem feeds (npm, RubyGems, PyPI). The DB itself is built by the separate trivy-db project.
How it works
graph TD
Walker[fanal walker] --> Analyzers[OS + language analyzers]
Analyzers --> Blob[BlobInfo<br/>OS family + packages + applications]
Blob --> Cache[(cache)]
Cache --> Applier[applier.ApplyLayers]
Applier --> Detail[ArtifactDetail]
Detail --> OSScan[ospkg.Scanner]
Detail --> LangScan[langpkg.Scanner]
OSScan --> OSDetect[ospkg detectors<br/>pkg/detector/ospkg]
LangScan --> LibDetect[library detectors<br/>pkg/detector/library]
OSDetect --> DB[(Trivy DB)]
LibDetect --> DB
OSDetect --> Vulns[DetectedVulnerability]
LibDetect --> Vulns
Vulns --> VulnClient[vulnerability.Client<br/>fill metadata]
VulnClient --> Result[types.Result Vulnerabilities]The pipeline is split into discovery and detection:
- Discovery (fanal). The walker runs OS and language analyzers, producing a list of installed packages per layer/snapshot.
- Application (applier). Per-layer blobs are merged into a single
ArtifactDetailthat resolves overlays. - Detection (scan service).
ospkg.Scannerandlangpkg.Scannerconsult the Trivy DB for each package, emittingDetectedVulnerabilityrecords. - Enrichment.
vulnerability.Clientfills in CVSS scores, references, and other metadata from the DB. - Filtering. Severity, fixed/unfixed status, and ignore lists filter the results.
Configuration
| Flag | Purpose |
|---|---|
--scanners vuln |
Select vulnerability scanning (default; can be combined with others). |
--severity |
Filter by severity (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL). |
--ignore-unfixed |
Drop vulnerabilities with no upstream fix. |
--ignorefile |
Path to .trivyignore. |
--vuln-type |
Restrict to os or library. |
--detection-priority |
precise (default) or comprehensive. |
--pkg-types |
Restrict to os/library. |
--pkg-relationships |
Filter by relationship (direct, indirect). |
The .trivyignore file is a plain list of CVE IDs to suppress. For more nuanced suppression, use VEX.
OS detection
pkg/fanal/analyzer/os/ registers analyzers for each distro that produce a types.OS record (Family, Name, Eosl). The applier picks the highest-priority OS detected on the artifact. If none is found, the scanner logs a debug line and skips OS package scanning. EOSL (End of Service Life) is signaled when the distribution no longer ships security updates; Trivy logs a Warn when that happens (see pkg/scan/service.go).
Language detection
Each language has its own analyzer and detector pair:
| Language | Analyzer | Detector |
|---|---|---|
| Go | gomod, gobinary |
pkg/detector/library/golang/ |
| Java | jar, pom, gradle-lockfile, sbt-lockfile |
pkg/detector/library/maven/ |
| Node.js | npm, yarn, pnpm, bun, node-pkg |
pkg/detector/library/npm/ |
| Python | pip, pipenv, poetry, uv, pylock, python-pkg |
pkg/detector/library/python/ |
| Ruby | bundler, gemspec |
pkg/detector/library/bundler/ |
| Rust | cargo, rustbinary |
pkg/detector/library/cargo/ |
| .NET | nuget, dotnet-core, packages-props |
pkg/detector/library/nuget/ |
| PHP | composer, composer-vendor |
pkg/detector/library/composer/ |
| Swift | swift, cocoapods |
pkg/detector/library/swift/, cocoapods/ |
| Dart | pubspec-lock |
pkg/detector/library/pub/ |
| Elixir | mix-lock |
pkg/detector/library/hex/ |
| Conda | conda-pkg, conda-environment |
pkg/detector/library/conan/ |
| Conan (C/C++) | conan-lock |
pkg/detector/library/conan/ |
| Julia | julia |
pkg/detector/library/julia/ |
JAR archives that don't carry a manifest are matched against the Java DB by SHA-1 hash.
Output
Findings end up in types.Result.Vulnerabilities with fields like VulnerabilityID, PkgName, InstalledVersion, FixedVersion, Severity, Layer, and References. Renderers in pkg/report/ (table, JSON, SARIF, CycloneDX, SPDX, HTML, GitHub) all know how to format vulnerabilities.
Integration points
- fanal — OS and language analyzers.
- Scan service — runs the detectors.
- Database — vulnerability data source.
- VEX — post-scan filter.
- SBOM — vulnerabilities can be carried along with an SBOM.
Entry points for modification
- Add a language — implement an analyzer in
pkg/fanal/analyzer/language/<lang>/plus a parser inpkg/dependency/parser/<lang>/. Add a detector inpkg/detector/library/<lang>/. - Add a distro — implement an OS analyzer in
pkg/fanal/analyzer/os/<distro>/and a detector inpkg/detector/ospkg/<distro>/. - Change ignore behavior —
pkg/result/result.goandpkg/result/policy.go(Rego-based filters). - Add a metadata field — extend
types.DetectedVulnerabilityinpkg/types/vulnerability.goand the renderers + RPC convert.
Key source files
| File | Purpose |
|---|---|
pkg/scan/local/service.go |
Scan orchestration. |
pkg/scan/ospkg/scanner.go |
OS-package scanner. |
pkg/scan/langpkg/scanner.go |
Language-package scanner. |
pkg/detector/ospkg/ |
Per-distro OS detectors. |
pkg/detector/library/ |
Per-language library detectors. |
pkg/vulnerability/vulnerability.go |
DB query client. |
pkg/types/vulnerability.go |
DetectedVulnerability type. |
pkg/types/report.go |
Report.Results.Vulnerabilities. |
See also
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.