Trivy

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain.

The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting.

Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

Features

Container Security Scanners - Identifies vulnerabilities and misconfigurations in container images for secure deployment.

Vulnerability Scanners - Identifies known software vulnerabilities and misconfigurations within container images, file systems, and infrastructure files.

Infrastructure as Code Scanners - Detects security risks and policy violations in configuration files like Terraform or Kubernetes manifests.

Infrastructure Security Scanners - Evaluates cloud configurations and infrastructure templates against security best practices.

Pipeline Security Tools - Automates security checks within development pipelines to prevent vulnerable code from reaching production.

Software Composition Analysis Tools - Detects open source dependencies and licenses to manage supply chain risks.

Supply Chain Security Tools - Analyzes application dependencies and build artifacts to detect vulnerabilities.

Cloud Auditing Tools - Assesses cloud platform configurations against security best practices to identify exposure.

Policy Enforcement Engines - Evaluates infrastructure configurations against predefined compliance standards using declarative rules.

Container Management - Vulnerability scanner for container images and filesystems.

Container Security - Comprehensive vulnerability scanner for container images.

DevOps Security - Vulnerability scanner for containers and software artifacts.

DevSecOps And Hardening - Scans containers and artifacts for vulnerabilities in CI pipelines.

IaC Security - Scanner for infrastructure-as-code vulnerabilities.

Infrastructure as Code Analysis - Comprehensive vulnerability scanner for container environments.

Security and Vulnerability Scanning - Comprehensive vulnerability scanner for containers and artifacts.

Image Scanning and SBOM - Comprehensive vulnerability scanner for containers.

Security and Compliance - Security scanner for containers and artifacts.

Security And Privacy - Vulnerability and secret scanner for containers.

Security and Vulnerability Scanning - Vulnerability scanner for containers and software artifacts.

Vulnerability Scanning - Scans containers for vulnerabilities.

Static Analysis Signatures - Identifies vulnerabilities by comparing artifacts against a versioned database of security signatures.

Vulnerability Intelligence Feeds - Fetches security intelligence from remote databases to maintain current detection logic.

Security Scanner Plugins - Uses a modular architecture to inspect diverse targets like containers and filesystems.

aquasecuritytrivy

Features

Star history