Convert Figma logo to code with AI

aquasecurity logotrivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

22,801
2,248
22,801
206

Top Related Projects

8,441

A vulnerability scanner for container images and filesystems

10,255

Vulnerability Static Analysis for Containers

4,924

Snyk CLI scans and monitors your projects for security vulnerabilities.

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

2,768

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Quick Overview

Trivy is a comprehensive and versatile security scanner for containers and other artifacts. It detects vulnerabilities in package dependencies, misconfigurations, and secret leaks in various components such as container images, filesystems, and git repositories. Trivy is designed to be easy to use, fast, and accurate, making it an essential tool for DevSecOps practices.

Pros

  • Easy to use with a simple CLI interface and integration options
  • Supports multiple scanning targets (containers, filesystems, git repositories)
  • Regularly updated vulnerability database
  • Fast scanning speed and low resource consumption

Cons

  • May produce false positives in some cases
  • Limited customization options for certain types of scans
  • Requires frequent updates to maintain an up-to-date vulnerability database

Getting Started

To get started with Trivy, follow these steps:

  1. Install Trivy:
# For macOS
brew install aquasecurity/trivy/trivy

# For Linux
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
  1. Scan a container image:
trivy image python:3.9-alpine
  1. Scan a local filesystem:
trivy fs /path/to/project
  1. Scan a git repository:
trivy repo https://github.com/example/repo

For more advanced usage and configuration options, refer to the official Trivy documentation.

Competitor Comparisons

8,441

A vulnerability scanner for container images and filesystems

Pros of Grype

  • Faster scanning speed for large images and filesystems
  • More detailed vulnerability reports with additional metadata
  • Better integration with other Anchore products for comprehensive security analysis

Cons of Grype

  • Smaller community and ecosystem compared to Trivy
  • Less frequent updates and releases
  • More limited support for non-container scanning scenarios

Code Comparison

Grype command:

grype <image_name>

Trivy command:

trivy image <image_name>

Both tools provide similar basic functionality for scanning container images, but their output formats and additional features differ. Grype tends to provide more detailed vulnerability information, while Trivy offers a broader range of scanning capabilities beyond just container images.

Grype's output includes more metadata about vulnerabilities, such as fix versions and CVSS scores, while Trivy's output is more concise by default. However, Trivy can be configured to provide additional details as well.

Overall, both tools are valuable for container security scanning, with Grype excelling in speed and detail for large images, and Trivy offering a more versatile scanning solution across various environments.

10,255

Vulnerability Static Analysis for Containers

Pros of Clair

  • More mature project with longer history and established ecosystem
  • Designed for integration with container registries, especially Quay
  • Supports multiple database backends for vulnerability data storage

Cons of Clair

  • More complex setup and configuration compared to Trivy
  • Slower scanning speed, especially for large images
  • Less frequent updates to vulnerability database

Code Comparison

Trivy scan command:

trivy image alpine:3.10

Clair scan using clairctl:

clairctl analyze --layers <image_layers> <image_name>

Both tools provide JSON output for easy integration with CI/CD pipelines:

Trivy JSON output:

{
  "Results": [
    {
      "Target": "alpine:3.10 (alpine 3.10.9)",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2021-36159",
          "PkgName": "apk-tools",
          "InstalledVersion": "2.10.6-r0",
          "FixedVersion": "2.10.7-r0",
          "Severity": "HIGH"
        }
      ]
    }
  ]
}

Clair JSON output:

{
  "Layer": {
    "Name": "sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10",
    "Features": [
      {
        "Name": "apk-tools",
        "VersionFormat": "apk",
        "Version": "2.10.6-r0",
        "Vulnerabilities": [
          {
            "Name": "CVE-2021-36159",
            "NamespaceName": "alpine:3.10",
            "Description": "...",
            "Severity": "High",
            "FixedBy": "2.10.7-r0"
          }
        ]
      }
    ]
  }
}
4,924

Snyk CLI scans and monitors your projects for security vulnerabilities.

Pros of Snyk CLI

  • Offers broader security coverage, including code analysis and license compliance
  • Provides more detailed remediation advice and fix suggestions
  • Integrates seamlessly with Snyk's web-based platform for comprehensive reporting

Cons of Snyk CLI

  • Requires a Snyk account and API token for full functionality
  • May have slower scan times for large projects compared to Trivy
  • Some advanced features are limited to paid plans

Code Comparison

Trivy scan command:

trivy image alpine:3.10

Snyk CLI scan command:

snyk container test alpine:3.10

Both tools offer similar basic functionality for container scanning, but Snyk CLI provides more options for customization and integration with its platform. Trivy's command is simpler and doesn't require authentication, making it easier for quick scans.

Trivy focuses primarily on container and filesystem scanning, while Snyk CLI offers a wider range of security checks across various aspects of the software development lifecycle. Trivy is generally faster for container scans, but Snyk provides more comprehensive analysis and remediation guidance.

Choose Trivy for quick, straightforward container and filesystem scans. Opt for Snyk CLI if you need broader security coverage, detailed fix suggestions, and integration with a comprehensive security platform.

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Pros of Terrascan

  • Specialized focus on Infrastructure as Code (IaC) security scanning
  • Supports multiple IaC tools (Terraform, Kubernetes, Helm, Kustomize, etc.)
  • Integrates well with CI/CD pipelines and provides detailed policy violation reports

Cons of Terrascan

  • Limited to IaC scanning, lacking container and application security features
  • Smaller community and fewer regular updates compared to Trivy
  • Less comprehensive vulnerability database

Code Comparison

Terrascan:

terrascan scan -i terraform -d /path/to/terraform/files

Trivy:

trivy config /path/to/terraform/files

Both tools can scan Terraform files, but Trivy offers a broader range of scanning capabilities beyond IaC.

Summary

Terrascan is a specialized tool for IaC security scanning, supporting multiple IaC formats and providing detailed policy violation reports. It integrates well with CI/CD pipelines but lacks the broader security scanning features of Trivy. Trivy, on the other hand, offers a more comprehensive security scanning solution, covering containers, applications, and IaC, with a larger community and more frequent updates. The choice between the two depends on specific project requirements and the desired scope of security scanning.

2,768

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Pros of Dockle

  • Focused specifically on Docker best practices and security
  • Provides actionable recommendations for Dockerfile improvements
  • Lightweight and fast execution

Cons of Dockle

  • Limited scope compared to Trivy's broader vulnerability scanning
  • Less frequent updates and smaller community support
  • Fewer integrations with CI/CD tools and platforms

Code Comparison

Dockle:

dockle --exit-code 1 --exit-level warn myimage:latest

Trivy:

trivy image --severity HIGH,CRITICAL myimage:latest

Dockle focuses on Dockerfile and image best practices, while Trivy scans for vulnerabilities in container images and file systems. Dockle's output provides specific recommendations for Dockerfile improvements, whereas Trivy reports detailed vulnerability information.

Trivy offers a more comprehensive security scanning solution, covering vulnerabilities in OS packages, language-specific dependencies, and misconfigurations. Dockle, on the other hand, excels at providing targeted advice for Docker image optimization and adherence to best practices.

Both tools are valuable in a container security pipeline, with Dockle being more specialized for Docker-specific checks and Trivy offering broader vulnerability assessment capabilities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

  • Container Image
  • Filesystem
  • Git Repository (remote)
  • Virtual Machine Image
  • Kubernetes
  • AWS

Scanners (what Trivy can find there):

  • OS packages and software dependencies in use (SBOM)
  • Known vulnerabilities (CVEs)
  • IaC issues and misconfigurations
  • Sensitive information and secrets
  • Software licenses

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page.

To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information.

Quick Start

Get Trivy

Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:

Canary builds

There are canary builds (Docker Hub, GitHub, ECR images and binaries) as generated every push to main branch.

Please be aware: canary builds might have critical bugs, it's not recommended for use in production.

General usage

trivy <target> [--scanners <scanner1,scanner2>] <subject>

Examples:

trivy image python:3.4-alpine
Result

https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov

trivy fs --scanners vuln,secret,misconfig myproject/
Result

https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov

trivy k8s --report summary cluster
Result

k8s summary

FAQ

How to pronounce the name "Trivy"?

tri is pronounced like trigger, vy is pronounced like envy.

Want more? Check out Aqua

If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users here.
In addition check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo

Community

Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here Join our Slack community to stay up to date with community efforts.

Please ensure to abide by our Code of Conduct during all interactions.