aquasecurity/trivy
Glossary
Trivy uses a vocabulary that mixes general security-scanner terminology with a handful of project-specific terms. This page defines the words you will see most often in code, in commit messages, and in the wiki.
Core terms
Artifact — the thing being scanned. Concrete artifacts are container images, filesystems, Git repositories, virtual machine images, and SBOM files. An artifact is represented by artifact.Artifact in pkg/fanal/artifact/artifact.go. Each artifact handler implements Inspect(ctx) (Reference, error) and Clean(Reference) error.
Blob — a content-addressed analysis result for one image layer or one filesystem snapshot. Blobs are produced by analyzers, keyed by content digest, and stored in the cache. See pkg/fanal/types/artifact.go (BlobInfo).
Layer — a container image layer. Trivy walks each layer separately so that re-scanning shares cached results across images.
Analyzer — a small unit that recognizes a specific kind of file. Examples: apk analyzer parses Alpine package metadata, gomod parses go.mod files, dockerfile analyzer hands off to the IaC engine. Analyzers register themselves via RegisterAnalyzer (pkg/fanal/analyzer/analyzer.go). Constants for every analyzer type live in pkg/fanal/analyzer/const.go.
Post-analyzer — runs after the per-file analyzers and sees the full set of files at once. Used when matching a lockfile to its package metadata requires both files (e.g., npm). Registered via RegisterPostAnalyzer.
Walker — the component that traverses a filesystem or image layer and feeds files to analyzers. Implementations live under pkg/fanal/walker/.
Applier — combines per-layer blob results into a single ArtifactDetail snapshot. The applier resolves overlays (later layers can replace files from earlier layers) and is in pkg/fanal/applier/.
Scanner — a higher-level component that consumes the analyzed artifact and produces findings. The main scanners are vulnerability, misconfiguration, secret, and license. They live under pkg/scan/local/, pkg/misconf/, pkg/fanal/secret/, and pkg/licensing/.
Detector — vulnerability-specific term. OS detectors (pkg/detector/ospkg/) and language detectors (pkg/detector/library/) take a list of packages and emit a list of DetectedVulnerability records.
Backend — an abstraction in pkg/scan/service.go that lets the same scan.Service run either standalone (pkg/scan/local/) or as a Twirp client (pkg/rpc/client/).
Reports and outputs
Report — types.Report in pkg/types/report.go. Top-level structure containing Trivy metadata, ArtifactName, ArtifactType, Metadata, Results, and an optional BOM.
Result — one types.Result per scan target (e.g., one for OS packages, one for package-lock.json). Holds Vulnerabilities, Misconfigurations, Secrets, Licenses, and CustomResources.
Finding — generic interface in pkg/types/finding.go. Vulnerabilities, misconfigurations, secrets, and licenses are all findings.
SBOM — Software Bill of Materials. Trivy can both consume SBOMs (as input artifacts) and produce them (CycloneDX or SPDX) as output. See pkg/sbom/.
VEX — Vulnerability Exploitability eXchange. A statement that a given vulnerability is or is not exploitable in a given product. Trivy filters findings against VEX documents in CSAF, OpenVEX, or CycloneDX format. See pkg/vex/.
Severity — one of UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL. The --severity flag filters reports.
Database and policies
Trivy DB — the OCI-distributed bbolt database of vulnerability data. Built by the trivy-db project, downloaded from ghcr.io/aquasecurity/trivy-db. Client is in pkg/db/db.go.
Trivy Java DB — companion database that maps Java archive hashes to Maven coordinates. Client in pkg/javadb/.
Trivy Checks — Rego policy bundle for IaC scanning. Distributed as an OCI bundle by the trivy-checks project; downloaded by pkg/policy/policy.go.
Rego — the policy language used by Open Policy Agent. Trivy's IaC scanner runs Rego policies against parsed configuration files; see pkg/iac/rego/.
Targets and scanners
Target — what is being scanned (image, filesystem, repository, VM image, Kubernetes cluster, AWS account, SBOM file).
Scanner (CLI sense) — what kind of issue to look for. Selected with --scanners. Allowed values are vuln, misconfig, secret, license. The list is enforced in pkg/types/scanner.go.
Misconfiguration — an IaC finding (e.g., "S3 bucket lacks server-side encryption"). Identified by an AVD-ID (Aqua Vulnerability Database identifier).
Secret — a hard-coded credential found in source files. Built-in rules live in pkg/fanal/secret/builtin-rules.go; allow-rules live in pkg/fanal/secret/builtin-allow-rules.go.
Subsystems
fanal — short for "file analyzer". The subsystem under pkg/fanal/ that handles inspection of artifacts.
Twirp — the RPC framework used between trivy client and trivy server. Code-generated from .proto files under rpc/.
Plugin — an external binary that Trivy launches as a subcommand. Managed by pkg/plugin/.
Module — a WebAssembly module that runs as a sandboxed analyzer or post-scanner. Loaded via pkg/module/ using wazero.
AVD — Aqua Vulnerability Database. The taxonomy used for misconfiguration IDs (AVD-AWS-0001, AVD-DS-0001, etc.).
EOSL — End Of Service Life. A flag set on operating system metadata when the distribution version is no longer supported by upstream security updates; surfaced in pkg/scan/service.go.
Canary — pre-release builds produced from each push to main. See Dockerfile.canary and .github/workflows/canary.yaml.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.