# Trivy — All-in-One Security Scanner for Containers & Code > Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use ```bash # Install brew install trivy # macOS apt install trivy # Debian/Ubuntu # Scan a Docker image trivy image nginx:latest # Scan a Git repository trivy repo https://github.com/your/repo # Scan Kubernetes cluster trivy k8s --report=summary cluster # Scan filesystem trivy fs /path/to/project ``` ## Intro **Trivy** is a comprehensive, easy-to-use, open-source security scanner by Aqua Security. It finds vulnerabilities (OS packages, language dependencies), misconfigurations (Terraform, Dockerfile, Kubernetes), secrets (API keys, passwords), and SBOM issues — all from a single binary with zero configuration. With 34.5K+ GitHub stars and Apache-2.0 license, Trivy has become the de facto standard for container security scanning, integrated into CI/CD pipelines at thousands of organizations worldwide. ## What Trivy Scans ### Vulnerabilities - **OS Packages**: Alpine, Debian, Ubuntu, RHEL, CentOS, Oracle Linux, Amazon Linux, etc. - **Language Dependencies**: npm, pip, gem, cargo, composer, nuget, go.mod, maven, gradle - **Container Images**: Docker, Podman, containerd - **Kubernetes**: Running clusters, YAML manifests ### Misconfigurations (IaC) - **Infrastructure**: Terraform, CloudFormation, ARM templates - **Containers**: Dockerfile, Containerfile - **Kubernetes**: YAML manifests, Helm charts, Kustomize - **Cloud**: AWS, Azure, GCP configurations ### Secrets - **API Keys**: AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, etc. - **Private Keys**: RSA, SSH, JWT secrets - **Credentials**: Passwords, tokens, connection strings ### Other - **License Compliance**: OSS license detection - **SBOM**: Generate/validate SBOMs (CycloneDX, SPDX) - **Malware**: Via ClamAV integration ## Installation ### Binary ```bash # macOS brew install trivy # Debian/Ubuntu sudo apt-get install wget gnupg wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy # Or download binary directly curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_Linux-64bit.tar.gz | tar xz ``` ### Docker ```bash docker run aquasec/trivy image nginx:latest ``` ### Kubernetes (Trivy Operator) ```bash helm repo add aqua https://aquasecurity.github.io/helm-charts/ helm install trivy-operator aqua/trivy-operator --namespace trivy-system --create-namespace ``` ## Usage Examples ### Scan Container Image ```bash # Basic scan trivy image nginx:latest # Only HIGH and CRITICAL vulnerabilities trivy image --severity HIGH,CRITICAL nginx:latest # Fail CI if vulnerabilities found trivy image --exit-code 1 --severity HIGH,CRITICAL nginx:latest # Output in JSON trivy image --format json --output results.json nginx:latest # Ignore unfixed vulnerabilities trivy image --ignore-unfixed nginx:latest # Skip OS packages, scan only language dependencies trivy image --vuln-type library nginx:latest ``` ### Scan Git Repository ```bash # Scan all aspects of a repository trivy repo https://github.com/your/repo # Scan only secrets trivy repo --scanners secret https://github.com/your/repo # Scan only IaC misconfigurations trivy repo --scanners misconfig https://github.com/your/repo ``` ### Scan Filesystem ```bash # Scan local directory trivy fs /path/to/project # Scan with all scanners enabled trivy fs --scanners vuln,misconfig,secret /path/to/project # Scan specific files trivy fs --skip-dirs node_modules /path/to/project ``` ### Scan Kubernetes ```bash # Scan entire cluster trivy k8s cluster # Scan specific namespace trivy k8s --namespace production # Scan all pods and show report trivy k8s --report=summary cluster # Scan a single manifest file trivy config kubernetes/deployment.yaml ``` ### Scan Terraform ```bash trivy config terraform/ # Only show HIGH and CRITICAL issues trivy config --severity HIGH,CRITICAL terraform/ ``` ## CI/CD Integration ### GitHub Actions ```yaml name: Trivy scan on: [push, pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' exit-code: '1' - name: Upload results to GitHub uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` ### GitLab CI ```yaml trivy-scan: image: aquasec/trivy:latest script: - trivy fs --exit-code 1 --severity HIGH,CRITICAL . - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ``` ### Docker Scanning in Build Pipeline ```bash # Build image docker build -t myapp:latest . # Scan before pushing trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest # Push if scan passed docker push myapp:latest ``` ## Report Output ``` nginx:latest (debian 12.1) ============================ Total: 45 (HIGH: 30, CRITICAL: 15) ┌─────────────┬─────────────────┬──────────┬────────┬───────────────────┬───────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ ├─────────────┼─────────────────┼──────────┼────────┼───────────────────┼───────────────┤ │ libc-bin │ CVE-2023-XXXX │ HIGH │ fixed │ 2.36-9 │ 2.36-9+deb12u1│ │ libssl3 │ CVE-2023-YYYY │ CRITICAL │ fixed │ 3.0.9-1 │ 3.0.11-1~deb12│ └─────────────┴─────────────────┴──────────┴────────┴───────────────────┴───────────────┘ ``` ## SBOM Generation ```bash # Generate CycloneDX SBOM trivy image --format cyclonedx --output sbom.json nginx:latest # Generate SPDX SBOM trivy image --format spdx-json --output sbom.spdx.json nginx:latest # Scan an existing SBOM for vulnerabilities trivy sbom sbom.json ``` ## Trivy vs Alternatives | Feature | Trivy | Snyk | Grype | Clair | |---------|-------|------|-------|-------| | Open Source | Yes (Apache-2.0) | No (free tier) | Yes (Apache-2.0) | Yes (Apache-2.0) | | Container scanning | Yes | Yes | Yes | Yes | | IaC scanning | Yes | Yes | No | No | | Secret scanning | Yes | Yes | No | No | | K8s scanning | Yes | Yes | No | Limited | | License scanning | Yes | Yes | No | No | | SBOM generation | Yes | Yes | Yes | No | | CI/CD integration | Easy | Easy | Easy | Complex | | Offline mode | Yes | Limited | Yes | Yes | ## FAQ **Q: How fast is scanning?** A: Very fast. A typical Docker image scan completes in 10-30 seconds. The first run downloads the vulnerability database (~300MB); subsequent scans use the cache. **Q: How often is the database updated?** A: Trivy's vulnerability database is updated every 6 hours from official sources including NVD, Alpine secdb, and Debian Security Tracker. Run `trivy image --download-db-only` to update manually. **Q: Can it be used offline?** A: Yes. Use `--offline` mode, pre-download the database to a specified location, and then use it in an isolated environment. This works well for security scanning in restricted environments. ## Sources & Credits - GitHub: [aquasecurity/trivy](https://github.com/aquasecurity/trivy) — 34.5K+ ⭐ | Apache-2.0 - Official site: [trivy.dev](https://trivy.dev) --- Source: https://tokrepo.com/en/workflows/trivy-all-one-security-scanner-containers-code-302fe2bb Author: Script Depot