ScriptsApr 10, 2026·1 min read

Trivy — All-in-One Security Scanner for Containers & Code

Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install
brew install trivy                    # macOS
apt install trivy                     # Debian/Ubuntu

# Scan a Docker image
trivy image nginx:latest

# Scan a Git repository
trivy repo https://github.com/your/repo

# Scan Kubernetes cluster
trivy k8s --report=summary cluster

# Scan filesystem
trivy fs /path/to/project
Intro

Trivy is a comprehensive, easy-to-use, open-source security scanner by Aqua Security. It finds vulnerabilities (OS packages, language dependencies), misconfigurations (Terraform, Dockerfile, Kubernetes), secrets (API keys, passwords), and SBOM issues — all from a single binary with zero configuration.

With 34.5K+ GitHub stars and Apache-2.0 license, Trivy has become the de facto standard for container security scanning, integrated into CI/CD pipelines at thousands of organizations worldwide.

What Trivy Scans

Vulnerabilities

  • OS Packages: Alpine, Debian, Ubuntu, RHEL, CentOS, Oracle Linux, Amazon Linux, etc.
  • Language Dependencies: npm, pip, gem, cargo, composer, nuget, go.mod, maven, gradle
  • Container Images: Docker, Podman, containerd
  • Kubernetes: Running clusters, YAML manifests

Misconfigurations (IaC)

  • Infrastructure: Terraform, CloudFormation, ARM templates
  • Containers: Dockerfile, Containerfile
  • Kubernetes: YAML manifests, Helm charts, Kustomize
  • Cloud: AWS, Azure, GCP configurations

Secrets

  • API Keys: AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, etc.
  • Private Keys: RSA, SSH, JWT secrets
  • Credentials: Passwords, tokens, connection strings

Other

  • License Compliance: OSS license detection
  • SBOM: Generate/validate SBOMs (CycloneDX, SPDX)
  • Malware: Via ClamAV integration

Installation

Binary

# macOS
brew install trivy

# Debian/Ubuntu
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

# Or download binary directly
curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar xz

Docker

docker run aquasec/trivy image nginx:latest

Kubernetes (Trivy Operator)

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm install trivy-operator aqua/trivy-operator --namespace trivy-system --create-namespace

Usage Examples

Scan Container Image

# Basic scan
trivy image nginx:latest

# Only HIGH and CRITICAL vulnerabilities
trivy image --severity HIGH,CRITICAL nginx:latest

# Fail CI if vulnerabilities found
trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

# Output in JSON
trivy image --format json --output results.json nginx:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest

# Skip OS packages, scan only language dependencies
trivy image --vuln-type library nginx:latest

Scan Git Repository

# Scan all aspects of a repository
trivy repo https://github.com/your/repo

# Scan only secrets
trivy repo --scanners secret https://github.com/your/repo

# Scan only IaC misconfigurations
trivy repo --scanners misconfig https://github.com/your/repo

Scan Filesystem

# Scan local directory
trivy fs /path/to/project

# Scan with all scanners enabled
trivy fs --scanners vuln,misconfig,secret /path/to/project

# Scan specific files
trivy fs --skip-dirs node_modules /path/to/project

Scan Kubernetes

# Scan entire cluster
trivy k8s cluster

# Scan specific namespace
trivy k8s --namespace production

# Scan all pods and show report
trivy k8s --report=summary cluster

# Scan a single manifest file
trivy config kubernetes/deployment.yaml

Scan Terraform

trivy config terraform/

# Only show HIGH and CRITICAL issues
trivy config --severity HIGH,CRITICAL terraform/

CI/CD Integration

GitHub Actions

name: Trivy scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

GitLab CI

trivy-scan:
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity HIGH,CRITICAL .
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

Docker Scanning in Build Pipeline

# Build image
docker build -t myapp:latest .

# Scan before pushing
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

# Push if scan passed
docker push myapp:latest

Report Output

nginx:latest (debian 12.1)
============================
Total: 45 (HIGH: 30, CRITICAL: 15)

┌─────────────┬─────────────────┬──────────┬────────┬───────────────────┬───────────────┐
│   Library   │ Vulnerability   │ Severity │ Status │ Installed Version │ Fixed Version │
├─────────────┼─────────────────┼──────────┼────────┼───────────────────┼───────────────┤
│ libc-bin    │ CVE-2023-XXXX   │ HIGH     │ fixed  │ 2.36-9            │ 2.36-9+deb12u1│
│ libssl3     │ CVE-2023-YYYY   │ CRITICAL │ fixed  │ 3.0.9-1           │ 3.0.11-1~deb12│
└─────────────┴─────────────────┴──────────┴────────┴───────────────────┴───────────────┘

SBOM Generation

# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest

# Generate SPDX SBOM
trivy image --format spdx-json --output sbom.spdx.json nginx:latest

# Scan an existing SBOM for vulnerabilities
trivy sbom sbom.json

Trivy vs Alternatives

Feature Trivy Snyk Grype Clair
Open Source Yes (Apache-2.0) No (free tier) Yes (Apache-2.0) Yes (Apache-2.0)
Container scanning Yes Yes Yes Yes
IaC scanning Yes Yes No No
Secret scanning Yes Yes No No
K8s scanning Yes Yes No Limited
License scanning Yes Yes No No
SBOM generation Yes Yes Yes No
CI/CD integration Easy Easy Easy Complex
Offline mode Yes Limited Yes Yes

常见问题

Q: 扫描速度如何? A: 非常快。典型 Docker 镜像扫描在 10-30 秒完成。首次运行会下载漏洞数据库(~300MB),后续扫描使用缓存。

Q: 数据库多久更新? A: Trivy 的漏洞数据库每 6 小时从 NVD、Alpine secdb、Debian Security Tracker 等官方源更新。运行 trivy image --download-db-only 手动更新。

Q: 可以离线使用吗? A: 可以。使用 --offline 模式,预先下载数据库到指定位置,然后在隔离环境使用。适合受限环境的安全扫描。

来源与致谢

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Longhorn — Cloud Native Distributed Block Storage for Kubernetes

Longhorn is a lightweight, reliable distributed block storage system for Kubernetes. Persistent volumes with replication, snapshots, backups, and disaster recovery.

Script Depot

VictoriaMetrics — Fast Cost-Effective Time Series Database

VictoriaMetrics is a fast, cost-effective, and scalable monitoring solution and time series database. Drop-in Prometheus replacement with 7x better compression and scale to billions of metrics.

Script Depot

Harbor — Cloud Native Trusted Container Registry

Harbor is a CNCF-graduated open-source container registry that stores, signs, and scans container images. Vulnerability scanning, RBAC, replication, and OCI support.

Script Depot
Home🔍Search👤Me