Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Trivy

Trivy is a comprehensive security scanner that detects vulnerabilities in container images, file systems, Git repositories, and more. It’s fast, easy to use, and provides detailed vulnerability reports.

What is Trivy?

Trivy scans for:

  • OS packages - Vulnerabilities in system packages
  • Application dependencies - Vulnerabilities in application libraries
  • Misconfigurations - Security misconfigurations in files
  • Secrets - Exposed secrets in code and images

Installing Trivy

Using Package Manager

# macOS
brew install trivy

# Ubuntu/Debian
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Using Docker

docker run aquasec/trivy image nginx:latest

Scanning Container Images

Basic Scan

trivy image nginx:latest

Scan with JSON Output

trivy image --format json nginx:latest

Scan with Exit Code

trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

Scan Specific Severities

trivy image --severity CRITICAL nginx:latest

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'nginx:latest'
        format: 'sarif'
        output: 'trivy-results.sarif'

GitLab CI

trivy-scan:
  image: aquasec/trivy:latest
  script:
    - trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

Generating SBOMs

CycloneDX Format

trivy image --format cyclonedx nginx:latest

SPDX Format

trivy image --format spdx nginx:latest

Scanning Filesystems

trivy fs /path/to/directory

Scanning Git Repositories

trivy repo https://github.com/user/repo

Best Practices

  1. Scan in CI/CD - Integrate scanning into your pipeline
  2. Block critical vulnerabilities - Use exit codes to fail builds
  3. Generate SBOMs - Create Software Bill of Materials
  4. Regular scans - Rescan images periodically
  5. Use caching - Cache vulnerability databases for speed

See Also