2022-06-01 12:35:24 +03:00
<div align="center">
<img src="docs/imgs/logo.png" width="200">
2019-08-19 00:01:50 -10:00
2021-03-17 07:19:34 +02:00
[![GitHub Release][release-img]][release]
2021-07-12 03:14:17 +03:00
[![Test][test-img]][test]
[![Go Report Card][go-report-img]][go-report]
[![License: Apache-2.0][license-img]][license]
2022-11-26 10:44:01 +02:00
[![GitHub Downloads][github-downloads-img]][release]
2021-03-17 07:19:34 +02:00
![Docker Pulls][docker-pulls]
2019-05-17 07:12:15 +09:00
2022-06-02 06:59:35 -03:00
[📖 Documentation][docs]
2022-06-01 12:35:24 +03:00
</div>
2019-05-15 13:20:12 +09:00
2022-11-27 18:45:00 +09:00
Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
Trivy has * scanners * that look for security issues, and * targets * where it can find those issues.
2020-06-08 16:20:44 +03:00
2022-11-26 10:44:01 +02:00
Targets (what Trivy can scan):
2019-05-15 17:57:44 +09:00
2022-06-01 12:35:24 +03:00
- Container Image
- Filesystem
2022-11-27 18:45:00 +09:00
- Git Repository (remote)
- Virtual Machine Image
2022-11-26 10:44:01 +02:00
- Kubernetes
Scanners (what Trivy can find there):
2019-05-07 15:41:03 +09:00
2022-06-01 12:35:24 +03:00
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
2022-11-26 10:44:01 +02:00
- IaC issues and misconfigurations
2022-06-01 12:35:24 +03:00
- Sensitive information and secrets
2022-11-26 10:44:01 +02:00
- Software licenses
2019-05-07 15:41:03 +09:00
2023-06-11 08:49:29 +03:00
Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
2023-01-08 15:16:03 +02:00
To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
2022-06-01 12:35:24 +03:00
## Quick Start
2019-05-15 17:57:44 +09:00
2022-06-01 12:35:24 +03:00
### Get Trivy
2019-05-15 17:57:44 +09:00
2023-01-08 15:16:03 +02:00
Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
2019-05-13 17:24:56 +09:00
2023-01-05 14:25:57 +00:00
- `brew install trivy`
2022-06-01 12:35:24 +03:00
- `docker run aquasec/trivy`
2022-11-26 10:44:01 +02:00
- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
2023-01-08 15:16:03 +02:00
- See [Installation] for more
2022-11-26 10:44:01 +02:00
2023-01-08 15:16:03 +02:00
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
2022-11-26 10:44:01 +02:00
- [GitHub Actions ](https://github.com/aquasecurity/trivy-action )
- [Kubernetes operator ](https://github.com/aquasecurity/trivy-operator )
- [VS Code plugin ](https://github.com/aquasecurity/trivy-vscode-extension )
2023-01-08 15:16:03 +02:00
- See [Ecosystem] for more
2019-05-16 13:07:43 +09:00
2023-03-09 17:36:04 +06:00
### Canary builds
2025-11-11 00:39:44 -05:00
There are canary builds ([Docker Hub ](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary ), [GitHub ](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary ), [ECR ](https://gallery.ecr.aws/aquasecurity/trivy#canary ) images and [binaries ](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml )) generated with every push to the main branch.
2023-03-09 17:36:04 +06:00
2025-11-11 00:39:44 -05:00
Please be aware: canary builds might have critical bugs, so they are not recommended for use in production.
2023-03-09 17:36:04 +06:00
2022-06-01 12:35:24 +03:00
### General usage
2021-07-12 03:14:17 +03:00
```bash
2023-01-23 16:53:06 +02:00
trivy <target> [--scanners <scanner1,scanner2>] <subject>
2021-07-12 03:14:17 +03:00
```
2022-06-01 12:35:24 +03:00
Examples:
2021-07-12 03:14:17 +03:00
```bash
2022-11-26 10:44:01 +02:00
trivy image python:3.4-alpine
2021-07-12 03:14:17 +03:00
```
<details>
<summary>Result</summary>
2022-06-01 12:35:24 +03:00
https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov
2021-07-12 03:14:17 +03:00
</details>
2022-06-01 12:35:24 +03:00
```bash
2023-11-15 09:53:22 +09:00
trivy fs --scanners vuln,secret,misconfig myproject/
2022-06-01 12:35:24 +03:00
```
2021-07-12 03:14:17 +03:00
2022-06-01 12:35:24 +03:00
<details>
<summary>Result</summary>
2021-07-12 03:14:17 +03:00
2022-06-01 12:35:24 +03:00
https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov
2021-07-12 03:14:17 +03:00
2022-06-01 12:35:24 +03:00
</details>
2021-07-12 03:14:17 +03:00
2022-06-01 12:35:24 +03:00
```bash
2022-11-26 10:44:01 +02:00
trivy k8s --report summary cluster
2021-07-12 03:14:17 +03:00
```
<details>
<summary>Result</summary>
2022-06-01 12:35:24 +03:00
2019-05-19 09:54:18 +09:00
</details>
2022-11-26 10:44:01 +02:00
## FAQ
### How to pronounce the name "Trivy"?
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy ** .
2021-07-12 03:14:17 +03:00
2023-06-25 13:40:45 +03:00
## Want more? Check out Aqua
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
2025-11-13 06:43:20 +01:00
You can find a high level comparison table specific to Trivy users [here ](https://trivy.dev/docs/latest/commercial/compare/ ).
2023-06-25 13:40:45 +03:00
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
2023-05-30 10:23:05 +01:00
## Community
2021-10-07 10:18:38 +03:00
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
2023-05-30 10:23:05 +01:00
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
2021-10-07 10:18:38 +03:00
2021-07-12 03:14:17 +03:00
[test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
[test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
[go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
[go-report-img]: https://goreportcard.com/badge/github.com/aquasecurity/trivy
[release]: https://github.com/aquasecurity/trivy/releases
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy.svg?logo=github
2022-11-26 10:44:01 +02:00
[github-downloads-img]: https://img.shields.io/github/downloads/aquasecurity/trivy/total?logo=github
2021-07-12 03:14:17 +03:00
[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/trivy?logo=docker&label=docker%20pulls%20%2F%20trivy
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
2023-01-08 15:16:03 +02:00
[homepage]: https://trivy.dev
2025-11-13 06:43:20 +01:00
[docs]: https://trivy.dev/docs/latest/
2022-11-26 10:44:01 +02:00
[pronunciation]: #how -to-pronounce-the-name-trivy
2023-05-30 10:23:05 +01:00
[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
2019-05-15 17:57:44 +09:00
2025-11-13 06:43:20 +01:00
[Installation]:https://trivy.dev/docs/latest/getting-started/installation/
[Ecosystem]: https://trivy.dev/docs/latest/ecosystem/
[Scanning Coverage]: https://trivy.dev/docs/latest/coverage/
2021-10-07 10:18:38 +03:00
2022-06-01 12:35:24 +03:00
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego
2022-11-26 10:44:01 +02:00
[sigstore]: https://www.sigstore.dev/
2021-10-07 10:18:38 +03:00
[aquasec]: https://aquasec.com
[oss]: https://www.aquasec.com/products/open-source-projects/
[discussions]: https://github.com/aquasecurity/trivy/discussions
