Trivy — all-in-one security scanner for images, repos, k8s and VMs | aquasecurity/trivy

#11dailyJun 5, 2026OpenAI

Open on GitHub README URL

Summary

Trivy — all-in-one security scanner for images, repos, k8s and VMs

The generated summary body for the selected provider.

OpenAImodel: gpt-5-mini

Highlights

1Multi-target scanning: images, fs, git repos, VMs, k8s
2Detects CVEs, IaC misconfigs, secrets and generates SBOMs
3Integrates with GitHub Actions, k8s operator and VS Code

go security scanner container sbom ci kubernetes

Overview

Trivy is a comprehensive security scanner (written in Go) that inspects multiple targets — Container Image, Filesystem, Git repository (remote), Virtual Machine Image and Kubernetes — using multiple scanners for OS packages/SBOM, known vulnerabilities (CVEs), IaC misconfigurations, sensitive information (secrets) and software licenses. The project is Apache-2.0 licensed and provides binary, Homebrew and Docker distribution channels, plus canary builds generated on every push to main (not recommended for production).

Translation

Translated body generated separately from the summary.

No translation available yet.

README

aquasecurity/trivy

Captured original README content.

📖 Documentation

</div>

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes

Scanners (what Trivy can find there):

OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the page.

<details> <summary>Result</summary> </details> <details> <summary>Result</summary> </details> <details> <summary>Result</summary> </details>

Key features (concrete from README)

Targets: Container Image, Filesystem, Git Repository (remote), Virtual Machine Image, Kubernetes
Scanners: OS packages & dependencies (SBOM), CVEs, IaC misconfigurations, secrets, licenses
Integrations: GitHub Actions, Kubernetes operator, VS Code extension and a broader ecosystem
Distribution: brew install trivy, docker run aquasec/trivy, or download release binaries
Examples from README: trivy image python:3.4-alpine, trivy fs --scanners vuln,secret,misconfig myproject/, trivy k8s --report summary cluster

Who it’s useful for

DevSecOps and platform teams securing container images, clusters and CI pipelines
Developers and SREs who need quick local scans (filesystem or repo) and SBOM generation
Security engineers integrating scans into CI/CD (GitHub Actions) or IDEs (VS Code)

Why it matters / Why it’s trending now

Trivy is trending (255 stars today; 35,677 total; rank #11 for today) because it combines multi-target scanning, SBOM and secrets detection in a single tool while offering broad integrations and straightforward install paths. The active release cadence (canary builds for every push), extensive ecosystem links, and large community usage (high GitHub stars and Docker pulls) drive adoption and visibility.

Install via Homebrew, Docker or download the latest release. Use the CLI pattern trivy <target> [--scanners <scanner1,scanner2>] <subject> to run scans. See the project docs for full scanning coverage and ecosystem integrations.

Why contribute / adopt

Open-source from Aqua Security with a documented ecosystem and CI integrations makes Trivy practical to adopt in pipelines or extend for additional scanning needs.

To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information.

Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:

brew install trivy
docker run aquasec/trivy
Download binary from https://github.com/aquasecurity/trivy/releases/latest/
See Installation for more

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:

There are canary builds (Docker Hub, GitHub, ECR images and binaries) generated with every push to the main branch.

Please be aware: canary builds might have critical bugs, so they are not recommended for use in production.

trivy <target> [--scanners <scanner1,scanner2>] <subject>

trivy image python:3.4-alpine

trivy fs --scanners vuln,secret,misconfig myproject/

trivy k8s --report summary cluster

How to pronounce the name "Trivy"?

tri is pronounced like trigger, vy is pronounced like envy.

Want more? Check out Aqua

If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users here. In addition check out the https://aquasec.com website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo

Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here

Please ensure to abide by our Code of Conduct during all interactions.

Key features (concrete from README)

Who it’s useful for

Why it matters / Why it’s trending now

Getting started

Why contribute / adopt

Quick Start

Get Trivy

Canary builds

General usage

FAQ

How to pronounce the name "Trivy"?

Want more? Check out Aqua

Community