>trivy

trivy

Provides the Trivy security scanner for detecting vulnerabilities, misconfigurations, secrets, and license issues in container images, filesystems, and IaC.

grype, snyk, clair, sonar-scanner-cli

The trivy image packages Trivy, a comprehensive open-source security scanner maintained by Aqua Security. Trivy can scan container images, local filesystems, Git repositories, Kubernetes clusters, and infrastructure-as-code files for known CVEs, exposed secrets, misconfigurations, and software license compliance issues.

It supports a wide range of package ecosystems (OS packages, npm, pip, Maven, Go modules, etc.) and integrates with CI/CD pipelines, container registries, and Kubernetes admission controllers. Trivy is widely used as a lightweight, fast scanner that requires no separate server or database infrastructure to run.

How to use this image

Scan a container image for vulnerabilities:

docker run --rm \
  aquasec/trivy image nginx:latest

Scan only for HIGH and CRITICAL CVEs:

docker run --rm \
  aquasec/trivy image \
  --severity HIGH,CRITICAL \
  nginx:latest

Scan a local filesystem:

docker run --rm \
  -v $(pwd):/src \
  aquasec/trivy fs /src

Scan a Dockerfile or Terraform files for misconfigurations:

docker run --rm \
  -v $(pwd):/src \
  aquasec/trivy config /src

Output results as JSON for pipeline integration:

docker run --rm \
  aquasec/trivy image \
  --format json \
  --output /tmp/results.json \
  my-app:latest

Fail a CI build if vulnerabilities are found:

docker run --rm \
  aquasec/trivy image \
  --exit-code 1 \
  --severity CRITICAL \
  my-app:latest

Image variants

aquasec/trivy:latest

The latest stable Trivy release. Based on a minimal Alpine image. Suitable for most CI and ad-hoc scanning use cases.

aquasec/trivy:<version>

Pinned version tags such as aquasec/trivy:0.50.0. Recommended for reproducible pipeline scans where scanner behavior should not change between runs.