Open-Source Wikis

/

Trivy

/

Lore

aquasecurity/trivy

Lore

Trivy started life in March 2019 as a small Alpine-and-Debian vulnerability scanner and has, over six years, grown into a multi-target security platform that covers vulnerabilities, misconfigurations, secrets, licenses, SBOMs, VEX, Kubernetes, and cloud accounts. This page tells the story of the codebase rather than the tool itself: the eras, the rewrites, the deprecations, and the long-running pieces of code that survived.

Eras

The Alpine era (Mar–Sep 2019)

The first commit is 7b3bf986 ("Initial commit") on 27 Mar 2019 by Teppei Fukuda (knqyf263). The first analyzers landed within the next week:

  • 03 Apr 2019 — apk analyzer
  • 04 Apr 2019 — dpkg analyzer

In the first six months Trivy gained scanners for Red Hat (rpm), Debian, Ubuntu, Amazon Linux, and the first language ecosystems (Bundler, Composer, npm, pip). The earliest releases (v0.0.1v0.0.10) iterated quickly. The CLI in this era was a single file with a flat command structure.

The fanal era (late 2019 – 2020)

The file-analysis subsystem pkg/fanal/ was carved out as a dedicated library that could analyze container images and filesystems without the rest of Trivy. The package added the analyzer/post-analyzer registry, the walker, and the cache abstraction. fanal was originally a separate repository (aquasecurity/fanal) that was later merged into the main Trivy repo to simplify development.

Notable additions in this era:

  • The applier pattern for layered artifacts (pkg/fanal/applier/).
  • Filesystem and Git repository scanning as first-class targets.
  • A Twirp RPC layer (rpc/) introducing the client/server split.

The IaC merge (2021–2022)

In 2021–2022 Aqua Security folded the tfsec and defsec projects into Trivy. The result was a substantial new subsystem under pkg/iac/ with parsers for Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and a Rego-based rule engine. The misconf scanner (pkg/misconf/) glues the IaC engine into the same BlobInfo-based pipeline as the OS and language scanners.

This was the largest expansion in Trivy's history; the resulting pkg/iac/ is now ~91,000 lines and covers thirteen cloud/IaC providers.

The Kubernetes and cloud era (2022–2023)

Trivy added two new top-level commands: trivy k8s for live cluster scanning and trivy aws (later folded into trivy config and the misconfiguration scanner) for cloud account assessment. The pkg/k8s/ package grew its own scanner, report writer, and command tree. The Trivy Operator (aquasecurity/trivy-operator) became the reference deployment for cluster scanning.

The SBOM and VEX era (2023–2024)

Two big quality-of-life features landed in this period:

  • SBOM in/out (pkg/sbom/) — Trivy can now produce CycloneDX and SPDX SBOMs for any scan target, and consume an SBOM as a target with trivy sbom.
  • VEX filtering (pkg/vex/) — Trivy understands CSAF, OpenVEX, and CycloneDX VEX statements and uses them to suppress not_affected vulnerabilities. Repository-style VEX (pkg/vex/repo/) lets organizations curate VEX statements alongside their code.

A WebAssembly module system (pkg/module/) using wazero opened the door to user-supplied analyzers without the security risks of dlopen-style plugins.

The plugin and ecosystem era (2024–2026)

The plugin manager (pkg/plugin/) gained an OCI-distributed plugin index and a public registry at aquasecurity/trivy-plugin-index. The recent direction has been outward: better integration with GitHub (SARIF, dependency snapshots), a richer Helm chart (helm/trivy/), and tighter coupling with the Aqua AVD database for misconfiguration metadata.

Recent dependency-only refactors (e.g., 99eabdf3a "replace archived go-homedir with os.UserHomeDir") show the era's character: stabilization, supply-chain hygiene, and trimming archived dependencies.

Longest-standing features

These pieces of code have survived nearly every major refactor:

Component Introduced Notes
apk analyzer Apr 2019 Among the very first analyzers; still drives Alpine vulnerability scanning.
dpkg analyzer Apr 2019 Same vintage as apk; covers Debian/Ubuntu.
pkg/types/report.go Report struct 2019 The shape of Report has grown but the central type has been stable since the first releases.
Cobra-based CLI 2019 Trivy has used Cobra + Viper for the entire life of the codebase.
Twirp RPC ~2020 The client/server boundary still uses the same .proto files in rpc/.
The cache abstraction ~2020 pkg/cache/ (filesystem, in-memory, Redis, remote) — the interface has been remarkably stable.

Major rewrites

  • fanal merge (2020) — fanal moved from its own repository into pkg/fanal/. The analyzer/post-analyzer pattern dates to this period.
  • IaC merge (2022) — tfsec and defsec folded in as pkg/iac/. Largest single addition to the codebase.
  • Scan service refactor (2023) — pkg/scan/ was introduced to formalize the Backend interface and unify standalone and client/server scanning behind one entrypoint (scan.Service).
  • Database packaging migration (2022–2023) — Trivy DB and Trivy Checks moved from GitHub release artifacts to OCI bundles distributed through ghcr.io. The download path lives in pkg/db/db.go and pkg/policy/policy.go.

Deprecated or removed features

  • tfsec and defsec standalone projects — replaced by pkg/iac/. The repos now redirect to Trivy.
  • GitHub-release-based DB distribution — replaced by OCI distribution from ghcr.io/aquasecurity/trivy-db.
  • The legacy client command — still present (NewClientCommand in pkg/commands/app.go) but --server flags on the regular subcommands are the recommended path.
  • Docker-shell and direct Docker daemon dependency — fanal now reads images via go-containerregistry/containerd and only falls back to a Docker daemon if available.
  • go-homedir dependency — removed in 99eabdf3a (Apr 2026) because the upstream project was archived; replaced with os.UserHomeDir.

Growth trajectory

  • 2019 → first OS analyzers, single-binary scanner.
  • 2020 → fanal, RPC, more language ecosystems.
  • 2021–2022 → IaC merge, misconfiguration scanning.
  • 2023 → SBOM, VEX, WebAssembly modules, Kubernetes operator integration.
  • 2024–2026 → plugin index, supply-chain hardening, expanded cloud and language coverage.

The contributor base grew from a handful of Aqua engineers to ~559 unique authors. Bots (primarily dependabot[bot]) account for several hundred commits since 2021, when automated dependency updates were enabled.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Lore – Trivy wiki | Factory