aquasecurity/trivy
Trivy
Trivy is an open-source security scanner that finds vulnerabilities, misconfigurations, secrets, and license issues across container images, filesystems, Git repositories, virtual machine images, Kubernetes clusters, and cloud accounts. It is written in Go, distributed as a single static binary, and used both as a developer-facing CLI and as a long-running server in CI/CD and platform deployments.
What Trivy does
Trivy organizes its work along two axes:
- Targets — what you scan: container images, filesystems, Git repositories, virtual machine images, Kubernetes clusters, AWS resources, and SBOM files.
- Scanners — what gets detected: known vulnerabilities (CVEs) in OS packages and language dependencies, infrastructure-as-code misconfigurations, hard-coded secrets, and software licenses.
The CLI dispatches a target to a series of analyzers (filesystem inspection), then runs the requested scanners against the discovered packages and configuration files, then assembles a types.Report that can be rendered as a table, JSON, SARIF, CycloneDX, SPDX, GitHub dependency snapshot, or a custom Go template.
Who uses Trivy
- Developers running
trivy fs .ortrivy image my/app:latestlocally before pushing. - CI pipelines invoking Trivy as a step (GitHub Actions, GitLab, Jenkins) and consuming SARIF, JSON, or table output.
- Platform teams deploying the Trivy Operator or the Trivy server to scan Kubernetes clusters and registries continuously.
- SBOM workflows generating or scanning CycloneDX/SPDX files via
trivy sbom.
Quick links
- Architecture — top-level view of how a scan flows through Trivy.
- Getting started — install, build, and run.
- Glossary — Trivy-specific terms (artifact, blob, analyzer, applier).
- CLI app — the
trivybinary and its command tree. - Server —
trivy serverand the Twirp RPC protocol. - Vulnerability scanning — the flagship use case.
- IaC / misconfiguration scanning — Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Ansible.
- How to contribute — workflow, testing, conventions.
- By the numbers — codebase size and activity snapshot.
- Lore — timeline and notable rewrites.
Repository at a glance
| Area | Path | What lives here |
|---|---|---|
| CLI entry point | cmd/trivy/main.go |
func main() — exit handling and plugin dispatch |
| Command tree | pkg/commands/ |
Cobra commands: image, fs, repo, k8s, sbom, vm, server, client, convert, clean, module, plugin, vex, auth, registry, config, version |
| File analysis | pkg/fanal/ |
The fanal subsystem — analyzers, artifact handlers, walkers, image readers |
| Scan service | pkg/scan/ |
The scan service that orchestrates local or remote backends |
| IaC scanners | pkg/iac/ |
Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, Ansible parsers and rule engine |
| Misconfiguration | pkg/misconf/ |
Bridge between fanal and the IaC scanners |
| Secrets | pkg/fanal/secret/ |
Built-in secret rules and matcher |
| Reports | pkg/report/ |
Table, JSON, SARIF, CycloneDX, SPDX, template, GitHub renderers |
| Cache & DB | pkg/cache/, pkg/db/, pkg/javadb/ |
Filesystem/Redis cache, Trivy DB and Java DB clients |
| Plugin runtime | pkg/plugin/ |
Plugin manager and index |
| WASM modules | pkg/module/ |
WebAssembly module support for custom analyzers |
| RPC | pkg/rpc/, rpc/ |
Twirp-generated client/server for trivy server |
| Kubernetes | pkg/k8s/ |
The trivy k8s command, scanner, and report writer |
| Flags | pkg/flag/ |
The flag system used by every command |
| VEX | pkg/vex/ |
Vulnerability Exploitability eXchange filtering |
| Integration tests | integration/ |
End-to-end tests with golden files |
| Documentation site | docs/ |
The MkDocs source for trivy.dev/docs |
For deeper explanations of each area, follow the links above or browse the wiki sidebar.
License
Trivy is Apache 2.0 licensed (LICENSE) and maintained by Aqua Security.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.