Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsApr 10, 2026·3 min de lectura

Trivy — All-in-One Security Scanner for Containers & Code

Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds.

Script Depot
Script Depot · Community
Introducción

Trivy is a comprehensive, easy-to-use, open-source security scanner by Aqua Security. It finds vulnerabilities (OS packages, language dependencies), misconfigurations (Terraform, Dockerfile, Kubernetes), secrets (API keys, passwords), and SBOM issues — all from a single binary with zero configuration.

With 34.5K+ GitHub stars and Apache-2.0 license, Trivy has become the de facto standard for container security scanning, integrated into CI/CD pipelines at thousands of organizations worldwide.

What Trivy Scans

Vulnerabilities

  • OS Packages: Alpine, Debian, Ubuntu, RHEL, CentOS, Oracle Linux, Amazon Linux, etc.
  • Language Dependencies: npm, pip, gem, cargo, composer, nuget, go.mod, maven, gradle
  • Container Images: Docker, Podman, containerd
  • Kubernetes: Running clusters, YAML manifests

Misconfigurations (IaC)

  • Infrastructure: Terraform, CloudFormation, ARM templates
  • Containers: Dockerfile, Containerfile
  • Kubernetes: YAML manifests, Helm charts, Kustomize
  • Cloud: AWS, Azure, GCP configurations

Secrets

  • API Keys: AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, etc.
  • Private Keys: RSA, SSH, JWT secrets
  • Credentials: Passwords, tokens, connection strings

Other

  • License Compliance: OSS license detection
  • SBOM: Generate/validate SBOMs (CycloneDX, SPDX)
  • Malware: Via ClamAV integration

Installation

Binary

# macOS
brew install trivy

# Debian/Ubuntu
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

# Or download binary directly
curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar xz

Docker

docker run aquasec/trivy image nginx:latest

Kubernetes (Trivy Operator)

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm install trivy-operator aqua/trivy-operator --namespace trivy-system --create-namespace

Usage Examples

Scan Container Image

# Basic scan
trivy image nginx:latest

# Only HIGH and CRITICAL vulnerabilities
trivy image --severity HIGH,CRITICAL nginx:latest

# Fail CI if vulnerabilities found
trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest

# Output in JSON
trivy image --format json --output results.json nginx:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest

# Skip OS packages, scan only language dependencies
trivy image --vuln-type library nginx:latest

Scan Git Repository

# Scan all aspects of a repository
trivy repo https://github.com/your/repo

# Scan only secrets
trivy repo --scanners secret https://github.com/your/repo

# Scan only IaC misconfigurations
trivy repo --scanners misconfig https://github.com/your/repo

Scan Filesystem

# Scan local directory
trivy fs /path/to/project

# Scan with all scanners enabled
trivy fs --scanners vuln,misconfig,secret /path/to/project

# Scan specific files
trivy fs --skip-dirs node_modules /path/to/project

Scan Kubernetes

# Scan entire cluster
trivy k8s cluster

# Scan specific namespace
trivy k8s --namespace production

# Scan all pods and show report
trivy k8s --report=summary cluster

# Scan a single manifest file
trivy config kubernetes/deployment.yaml

Scan Terraform

trivy config terraform/

# Only show HIGH and CRITICAL issues
trivy config --severity HIGH,CRITICAL terraform/

CI/CD Integration

GitHub Actions

name: Trivy scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

GitLab CI

trivy-scan:
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity HIGH,CRITICAL .
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

Docker Scanning in Build Pipeline

# Build image
docker build -t myapp:latest .

# Scan before pushing
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

# Push if scan passed
docker push myapp:latest

Report Output

nginx:latest (debian 12.1)
============================
Total: 45 (HIGH: 30, CRITICAL: 15)

┌─────────────┬─────────────────┬──────────┬────────┬───────────────────┬───────────────┐
│   Library   │ Vulnerability   │ Severity │ Status │ Installed Version │ Fixed Version │
├─────────────┼─────────────────┼──────────┼────────┼───────────────────┼───────────────┤
│ libc-bin    │ CVE-2023-XXXX   │ HIGH     │ fixed  │ 2.36-9            │ 2.36-9+deb12u1│
│ libssl3     │ CVE-2023-YYYY   │ CRITICAL │ fixed  │ 3.0.9-1           │ 3.0.11-1~deb12│
└─────────────┴─────────────────┴──────────┴────────┴───────────────────┴───────────────┘

SBOM Generation

# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest

# Generate SPDX SBOM
trivy image --format spdx-json --output sbom.spdx.json nginx:latest

# Scan an existing SBOM for vulnerabilities
trivy sbom sbom.json

Trivy vs Alternatives

Feature Trivy Snyk Grype Clair
Open Source Yes (Apache-2.0) No (free tier) Yes (Apache-2.0) Yes (Apache-2.0)
Container scanning Yes Yes Yes Yes
IaC scanning Yes Yes No No
Secret scanning Yes Yes No No
K8s scanning Yes Yes No Limited
License scanning Yes Yes No No
SBOM generation Yes Yes Yes No
CI/CD integration Easy Easy Easy Complex
Offline mode Yes Limited Yes Yes

FAQ

Q: How fast is scanning? A: Very fast. A typical Docker image scan completes in 10-30 seconds. The first run downloads the vulnerability database (~300MB); subsequent scans use the cache.

Q: How often is the database updated? A: Trivy's vulnerability database is updated every 6 hours from official sources including NVD, Alpine secdb, and Debian Security Tracker. Run trivy image --download-db-only to update manually.

Q: Can it be used offline? A: Yes. Use --offline mode, pre-download the database to a specified location, and then use it in an isolated environment. This works well for security scanning in restricted environments.

Sources & Credits

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

Unkey — Open-Source API Key Management Platform

Unkey is an open-source API key management platform that lets developers create, validate, and rate-limit API keys with sub-millisecond verification and usage-based billing support.

Script Depot

Flagsmith — Open-Source Feature Flags and Remote Config

Flagsmith is a self-hosted feature flag and remote configuration service with a web dashboard and SDKs for 18+ languages, enabling teams to manage feature rollouts and A/B tests without redeploying.

Script Depot

OpenStatus — Open-Source Monitoring and Status Page Platform

OpenStatus is an open-source uptime monitoring and status page platform that checks endpoints from multiple regions, tracks latency and availability, and serves beautiful public status pages for your services.

Script Depot
Inicio🔍Buscar👤Yo