Skip to Content

Trivy, Unpacked: One Scanner For Containers, Code, And Clusters

Inside Aqua Security's open-source engine for CVEs, SBOMs, misconfigurations, and secrets
aquasecurity

Get All The Latest Research & News!

Thanks for registering!

Security tooling often splinters by surface area: one product for containers, another for code, another for Kubernetes. Trivy takes the opposite approach. It is a single, open-source scanner that understands images, filesystems, Git repositories, VMs, and even live Kubernetes resources, and it knows how to find vulnerabilities, misconfigurations, leaked secrets, licenses, and build accurate SBOMs along the way.

Tivy distills this into two ideas: targets (what to scan) and scanners (what to find). Trivy supports popular languages and OSes and integrates with GitHub Actions, a Kubernetes operator, and a VS Code extension. It is distributed as a binary and container image, with canary builds published on every push to main.

Key Features

  • Unified targets and scanners. Scan container images, filesystems, Git repos, VM images, and Kubernetes resources; find CVEs, misconfigurations, secrets, licenses, and emit SBOMs. See README.md and pkg/ for module layout.

  • Deep coverage. Language ecosystems and OS packages are handled through dedicated analyzers and databases, wired through pkg/vulnerability and pkg/dependency.

  • IaC and policy. Misconfig checks for Terraform, Kubernetes YAML, Helm, and more via pkg/misconf, with policies expressed in Rego (OPA, 2025).

  • Runtime awareness. Kubernetes scanning with summaries and detailed findings through pkg/k8s, plus a maintained Trivy Operator for continuous cluster posture.

  • Supply chain and attestations. SBOM generation in SPDX/CycloneDX via pkg/sbom, and build/verification hooks including Sigstore and Rekor under pkg/attestation and pkg/rekor (Sigstore, 2025).

The Problem And The Solution

Modern software spreads across container images, IaC templates, package managers, and cluster workloads. Teams juggle multiple scanners, formats, and policies to keep pace with advisories and configuration drift. The result is duplicated effort and inconsistent coverage.

Trivy solves this by unifying scanners behind one CLI and one engine. Whether you point it at a local project, a remote image, or a live Kubernetes cluster, it will detect OS and language vulnerabilities (CVEs), generate SBOMs, check IaC and cluster resources for misconfigurations, and flag secrets and license issues. The consistent workflow makes it feasible to adopt security scanning earlier in development and keep it on in CI/CD and production.

Why I Like It

Trivy feels practical. The defaults work, install is trivial, and the results are readable. It embraces open standards and adjacent ecosystems instead of reinventing them: policy checks are built around Rego, signatures ride on Sigstore, and SBOMs export to common formats.

From an SRE or platform engineer's perspective, that means less friction integrating into pipelines and more confidence the outputs will interoperate with existing tooling.

# Quick taste: scan a container image for CVEs
trivy image python:3.12-slim

# Scan a local project for vulnerabilities, misconfigurations, and secrets
trivy fs --scanners vuln,misconfig,secret ./myproject

# Summarize Kubernetes risks in a live cluster
trivy k8s --report summary cluster

Under The Hood

The codebase is modern Go, split into focused packages under pkg/. Notable components include pkg/scan for orchestrating scans, pkg/report for formatting outputs, pkg/db for vulnerability DB handling, and pkg/policy for policy integration. The CLI wiring under pkg/commands exposes consistent verbs across targets.

Documentation is built with MkDocs (mkdocs.yml) and lives in docs/. Shipping artifacts are automated via goreleaser.yml and a small Dockerfile, with canary pipelines producing images and binaries on every push.

Design-wise, Trivy emphasizes speed and repeatability. Caches in pkg/cache reduce re-downloading advisories. The SBOM pipeline can be run standalone or as part of a vulnerability scan, enabling attestation and provenance checks downstream. For live clusters, the operator keeps posture up to date without manual triggers.

Community

Trivy is an Aqua Security open-source project with active development. Discussions take place in GitHub Discussions, and releases are regular (CHANGELOG.md traces the cadence). Contribution guidelines live in CONTRIBUTING.md, with CI signals and code style enforced via .golangci.yaml and tests under integration/ and e2e/.

Usage And License Terms

Installation is flexible: Homebrew, container images, direct binaries, and more are covered in the docs. The README links to the Installation guide and an Ecosystem page listing official integrations (GitHub Actions, VS Code, and a Kubernetes operator among them). Output formats include human-readable tables and machine-friendly JSON for pipeline consumption.

Trivy is released under the permissive Apache 2.0 license, allowing commercial use, distribution, modification, and private use with proper notice and without warranty.

Impact And What Comes Next

By consolidating multiple scanners into one tool and speaking standard formats, Trivy lowers the barrier to continuous security. It fits early in development (local scans), in CI (fail on critical findings), and in production (continuous cluster posture). 

As SBOMs and attestations become baseline for supply-chain security, Trivy's built-in support for SPDX/CycloneDX and Sigstore-backed verification positions it as an easy default. If you need managed posture and fleet-wide dashboards, Aqua's commercial platform builds on Trivy's engine and data.

About Aqua Security

Aqua Security is a cloud-native security company focused on securing applications from code to cloud. Its open-source portfolio includes Trivy, the Trivy Operator, and related projects that extend into supply-chain security. Explore the broader portfolio at Open Source Projects and the company site at aquasec.com.

Conclusion

If you want one scanner that travels with your code from laptop to cluster, Trivy is worth adopting. Start with the documentation, try a quick image scan, and wire the JSON output into your CI. As your needs grow, bring in the operator for cluster posture and explore SBOM and attestation workflows.

References: (Trivy Docs, 2025); (SPDX, 2025); (CycloneDX, 2025); (OPA, 2025); (Sigstore, 2025); (Trivy README, 2025).


Authors:
aquasecurity
Trivy, Unpacked: One Scanner For Containers, Code, And Clusters
Joshua Berkowitz August 24, 2025
Views 1705
Share this post