aquasecurity/trivy
Lore
Trivy started life in March 2019 as a small Alpine-and-Debian vulnerability scanner and has, over six years, grown into a multi-target security platform that covers vulnerabilities, misconfigurations, secrets, licenses, SBOMs, VEX, Kubernetes, and cloud accounts. This page tells the story of the codebase rather than the tool itself: the eras, the rewrites, the deprecations, and the long-running pieces of code that survived.
Eras
The Alpine era (Mar–Sep 2019)
The first commit is 7b3bf986 ("Initial commit") on 27 Mar 2019 by Teppei Fukuda (knqyf263). The first analyzers landed within the next week:
- 03 Apr 2019 —
apkanalyzer - 04 Apr 2019 —
dpkganalyzer
In the first six months Trivy gained scanners for Red Hat (rpm), Debian, Ubuntu, Amazon Linux, and the first language ecosystems (Bundler, Composer, npm, pip). The earliest releases (v0.0.1 … v0.0.10) iterated quickly. The CLI in this era was a single file with a flat command structure.
The fanal era (late 2019 – 2020)
The file-analysis subsystem pkg/fanal/ was carved out as a dedicated library that could analyze container images and filesystems without the rest of Trivy. The package added the analyzer/post-analyzer registry, the walker, and the cache abstraction. fanal was originally a separate repository (aquasecurity/fanal) that was later merged into the main Trivy repo to simplify development.
Notable additions in this era:
- The applier pattern for layered artifacts (
pkg/fanal/applier/). - Filesystem and Git repository scanning as first-class targets.
- A Twirp RPC layer (
rpc/) introducing the client/server split.
The IaC merge (2021–2022)
In 2021–2022 Aqua Security folded the tfsec and defsec projects into Trivy. The result was a substantial new subsystem under pkg/iac/ with parsers for Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and a Rego-based rule engine. The misconf scanner (pkg/misconf/) glues the IaC engine into the same BlobInfo-based pipeline as the OS and language scanners.
This was the largest expansion in Trivy's history; the resulting pkg/iac/ is now ~91,000 lines and covers thirteen cloud/IaC providers.
The Kubernetes and cloud era (2022–2023)
Trivy added two new top-level commands: trivy k8s for live cluster scanning and trivy aws (later folded into trivy config and the misconfiguration scanner) for cloud account assessment. The pkg/k8s/ package grew its own scanner, report writer, and command tree. The Trivy Operator (aquasecurity/trivy-operator) became the reference deployment for cluster scanning.
The SBOM and VEX era (2023–2024)
Two big quality-of-life features landed in this period:
- SBOM in/out (
pkg/sbom/) — Trivy can now produce CycloneDX and SPDX SBOMs for any scan target, and consume an SBOM as a target withtrivy sbom. - VEX filtering (
pkg/vex/) — Trivy understands CSAF, OpenVEX, and CycloneDX VEX statements and uses them to suppress not_affected vulnerabilities. Repository-style VEX (pkg/vex/repo/) lets organizations curate VEX statements alongside their code.
A WebAssembly module system (pkg/module/) using wazero opened the door to user-supplied analyzers without the security risks of dlopen-style plugins.
The plugin and ecosystem era (2024–2026)
The plugin manager (pkg/plugin/) gained an OCI-distributed plugin index and a public registry at aquasecurity/trivy-plugin-index. The recent direction has been outward: better integration with GitHub (SARIF, dependency snapshots), a richer Helm chart (helm/trivy/), and tighter coupling with the Aqua AVD database for misconfiguration metadata.
Recent dependency-only refactors (e.g., 99eabdf3a "replace archived go-homedir with os.UserHomeDir") show the era's character: stabilization, supply-chain hygiene, and trimming archived dependencies.
Longest-standing features
These pieces of code have survived nearly every major refactor:
| Component | Introduced | Notes |
|---|---|---|
apk analyzer |
Apr 2019 | Among the very first analyzers; still drives Alpine vulnerability scanning. |
dpkg analyzer |
Apr 2019 | Same vintage as apk; covers Debian/Ubuntu. |
pkg/types/report.go Report struct |
2019 | The shape of Report has grown but the central type has been stable since the first releases. |
| Cobra-based CLI | 2019 | Trivy has used Cobra + Viper for the entire life of the codebase. |
| Twirp RPC | ~2020 | The client/server boundary still uses the same .proto files in rpc/. |
| The cache abstraction | ~2020 | pkg/cache/ (filesystem, in-memory, Redis, remote) — the interface has been remarkably stable. |
Major rewrites
- fanal merge (2020) — fanal moved from its own repository into
pkg/fanal/. The analyzer/post-analyzer pattern dates to this period. - IaC merge (2022) —
tfsecanddefsecfolded in aspkg/iac/. Largest single addition to the codebase. - Scan service refactor (2023) —
pkg/scan/was introduced to formalize theBackendinterface and unify standalone and client/server scanning behind one entrypoint (scan.Service). - Database packaging migration (2022–2023) — Trivy DB and Trivy Checks moved from GitHub release artifacts to OCI bundles distributed through
ghcr.io. The download path lives inpkg/db/db.goandpkg/policy/policy.go.
Deprecated or removed features
tfsecanddefsecstandalone projects — replaced bypkg/iac/. The repos now redirect to Trivy.- GitHub-release-based DB distribution — replaced by OCI distribution from
ghcr.io/aquasecurity/trivy-db. - The legacy
clientcommand — still present (NewClientCommandinpkg/commands/app.go) but--serverflags on the regular subcommands are the recommended path. - Docker-shell and direct Docker daemon dependency — fanal now reads images via
go-containerregistry/containerd and only falls back to a Docker daemon if available. go-homedirdependency — removed in99eabdf3a(Apr 2026) because the upstream project was archived; replaced withos.UserHomeDir.
Growth trajectory
- 2019 → first OS analyzers, single-binary scanner.
- 2020 → fanal, RPC, more language ecosystems.
- 2021–2022 → IaC merge, misconfiguration scanning.
- 2023 → SBOM, VEX, WebAssembly modules, Kubernetes operator integration.
- 2024–2026 → plugin index, supply-chain hardening, expanded cloud and language coverage.
The contributor base grew from a handful of Aqua engineers to ~559 unique authors. Bots (primarily dependabot[bot]) account for several hundred commits since 2021, when automated dependency updates were enabled.
See also
- By the numbers — current snapshot.
- Architecture — what the codebase looks like today.
- Maintainers — who owns each subsystem now.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.