What Is the Trivy Vulnerability Scanner?
The Trivy vulnerability scanner is an open source security tool from Aqua Security. It finds CVEs in container images, filesystems, code repositories, and Kubernetes clusters. I started using it after getting tired of slow commercial scanners that needed API keys and complicated setup.
Trivy is a single binary with zero dependencies. You point it at a target and it tells you what is broken. It scans for known vulnerabilities, misconfigurations, hardcoded secrets, and software licenses. Companies like GitLab, Docker, and Wise use it in production.
If you already use other security tools on this site like Nmap for network discovery or Wazuh for host monitoring, Trivy fills the gap for container and application security.
Installing Trivy on Linux
Installation is simple. On Debian or Ubuntu, add the official repository:
sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \
| gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] \
https://aquasecurity.github.io/trivy-repo/deb generic main" \
| sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivyOn RHEL or CentOS, set up the yum repository and install:
sudo tee -a /etc/yum.repos.d/trivy.repo << EOF
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
EOF
sudo yum install trivyYou can also grab a prebuilt binary from the Trivy GitHub releases page or install via Homebrew. Check your install with trivy --version.
10 Essential Trivy Vulnerability Scanner Commands
1. Scan a Container Image
This is what the Trivy vulnerability scanner does best. Point it at any Docker or OCI image and it pulls the manifest, then checks every package layer against the CVE database.
trivy image nginx:latestIt returns a color-coded table showing the package name, installed version, fixed version, severity, and CVE ID. I run this every time I pull a base image for a project. You would be surprised what ships in popular containers.
2. Scan the Local Filesystem
The Trivy vulnerability scanner can also scan a directory on your machine directly. This catches vulnerabilities in application dependencies that have not been packaged into a container yet.
trivy fs /path/to/your/projectIt picks up package manifests for npm, pip, gem, go, and maven. Point it at your project root and it walks the dependency tree automatically. No configuration file needed.
3. Scan a Git Repository Remotely
You do not need to clone a repo first. The Trivy vulnerability scanner can scan a remote git repository directly from its URL.
trivy repo https://github.com/your-org/your-projectThis is useful in CI/CD pipelines. You can scan a pull request branch before merging without ever writing the code to disk.
4. Scan for Hardcoded Secrets
Trivy finds API keys, passwords, and tokens embedded in your codebase. This used to require a separate dedicated tool. Now it is one flag.
trivy fs --scanners secret /path/to/projectIt flags potential secrets and shows the file and line number. I caught an AWS access key in a dotenv file this way that had been sitting there for two months.
5. Scan Kubernetes Cluster Resources
If you run Kubernetes, the Trivy vulnerability scanner checks your cluster for vulnerabilities and misconfigurations. It uses your current kubeconfig context automatically.
trivy k8s --report summary clusterThis scans pods, deployments, services, and namespaces. It reports which container images have vulnerabilities and which resources have overly permissive security contexts.
6. Generate a Software Bill of Materials
A Software Bill of Materials or SBOM lists every package in your software. The Trivy vulnerability scanner generates SBOMs in CycloneDX and SPDX formats.
trivy image --format cyclonedx nginx:latestSBOMs are becoming a compliance requirement for many organizations. If you need one for an audit, this command produces it in seconds.
7. Scan for Infrastructure Misconfigurations
Trivy checks Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles for insecure configurations. It applies the same rules used by commercial policy engines but with zero setup cost.
trivy config --severity CRITICAL,HIGH ./terraform/It flags things like containers running as root, overly permissive IAM rules, and missing resource limits. I run this before every Terraform apply. It takes two seconds and catches mistakes I would miss.
8. Scan Multiple Images in One Command
You can scan several targets in a single pass. The Trivy vulnerability scanner processes each one and returns a unified report.
trivy image nginx:latest alpine:latest python:3.9-slimThis is useful for scanning your entire container stack in CI. One command, one output, one parse. No scripting required to loop over images.
9. Output Results in Different Formats
The Trivy vulnerability scanner supports JSON, SARIF, HTML, and table output formats. For automation, pipe JSON into jq or your own tooling.
trivy image --format json --output results.json nginx:latestSARIF integrates with GitHub Advanced Security. HTML generates a standalone report you can email or share. The table format is the default and works fine for terminal output.
10. Update the Vulnerability Database
Trivy downloads its CVE database on first run and keeps it cached locally. To force a fresh download before a big production scan:
trivy image --download-db-only nginx:latestI run this in a daily cron job. The database updates automatically in the background, but forcing a refresh before a critical scan guarantees you have the latest CVEs.
Integrating Trivy in a CI/CD Pipeline
The Trivy vulnerability scanner works out of the box with GitHub Actions. You add a step that runs trivy image on the build artifact. The action fails the pipeline if it finds vulnerabilities above a severity threshold you set. GitLab CI, Jenkins, and CircleCI all have similar integrations. The pattern is the same every time. Build the image. Scan it with Trivy. Block the deploy if critical issues show up.
You can also integrate with container registries directly. Trivy scans images in Docker Hub, Harbor, and Azure Container Registry without pulling them locally first. This keeps your CI pipeline fast and your build servers clean.
For deeper Linux tooling workflows, check out the fzf tutorial for navigating large output sets like Trivy scan results more efficiently.
Final Thoughts
Trivy replaced three separate tools in my security workflow. It handles vulnerability scanning, secret detection, and configuration auditing from a single binary. No database to maintain. No agent to install. No license fees.
If you run containers or manage Linux servers, install Trivy and scan your base images. You will find things you wish you had known months ago. The official Trivy installation guide has the full details for every platform.