Trivy does security scanning differently — it unifies five distinct types of scans into a single CLI tool that works across container images, filesystems, Git repositories, virtual machine images, and Kubernetes clusters. This all-in-one approach is architecturally non-trivial given the wildly different data sources and parsing strategies each scanner requires. Yet Trivy manages to provide a composable interface that lets you run multiple scanners in one pass, streamlining cloud-native security workflows.
What trivy is and how it works
Trivy is an open-source security scanner developed by Aqua Security, written entirely in Go. It consolidates vulnerability detection, infrastructure-as-code (IaC) misconfiguration scanning, secret discovery, software bill of materials (SBOM) generation, and license analysis under one roof.
The tool supports scanning a wide variety of targets: container images, filesystems, Git repositories, virtual machine images, and Kubernetes clusters. This broad target support is rare in the security scanning space, where tools often specialize in just one domain.
Under the hood, Trivy’s architecture revolves around a composable CLI design. The command line interface follows the pattern:
trivy <target> [--scanners <scanner1,scanner2>] <subject>
Here, <target> specifies the type of resource to scan (e.g., image, fs, git, k8s), and --scanners lets you select one or more scanners to run, such as vuln for vulnerabilities, misconfig for IaC misconfigurations, secret for secret detection, sbom for bill of materials generation, and license for license analysis.
This composability means you can run a single command to get vulnerability reports, detect secrets, and check misconfigurations simultaneously on a filesystem or container image. The CLI orchestrates the appropriate scanning modules and aggregates their output.
Trivy compiles to a single static binary or can be run as a Docker container. It supports installation via popular package managers like Homebrew, making it easy to integrate into developer environments and CI/CD pipelines.
What makes Trivy’s approach technically interesting
Trivy’s standout technical strength is its unified scanner architecture implemented in Go. Each type of scan—vulnerabilities, misconfiguration, secrets, SBOM, license—is conceptually distinct and requires specialized parsing and data sources.
For example, vulnerability scanning depends on CVE databases and package metadata, misconfiguration scanning analyzes IaC templates like Kubernetes manifests or Terraform files, secret scanning searches for sensitive strings or keys, while SBOM generation involves cataloging dependencies and licenses.
Managing all these scanners under one CLI requires careful modular design. Trivy’s codebase handles this by exposing a flexible scanning interface and clean command dispatching logic. This composability is impressive given the challenges in maintaining consistent output formats and error handling across scanner types.
The choice of Go is pragmatic: it produces minimal dependencies and static binaries, which are critical for security tools deployed in varied environments. Go’s concurrency model also helps efficiently scan large targets like container images or Kubernetes clusters.
Tradeoffs are clear: while Trivy offers broad coverage, it may not match the depth or customization of specialized scanners focused solely on vulnerabilities or IaC misconfigurations. However, for many teams, the convenience of a single tool outweighs this.
Additionally, Trivy integrates deeply with popular platforms, including GitHub Actions for shift-left security, a Kubernetes operator for cluster-native scanning, and a VS Code plugin for developer feedback. These integrations show a well-rounded ecosystem approach.
Quick start
Get Trivy
Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
brew install trivydocker run aquasec/trivy- Download binary from
- See [Installation] for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
- GitHub Actions
- Kubernetes operator
- VS Code plugin
- See [Ecosystem] for more
Canary builds
There are canary builds (Docker Hub, GitHub, ECR images and binaries) generated with every push to the main branch.
Please be aware: canary builds might have critical bugs, so they are not recommended for use in production.
General usage
trivy <target> [--scanners <scanner1,scanner2>] <subject>
Examples:
trivy image python:3.4-alpine
trivy fs --scanners vuln,secret,misconfig myproject/
trivy k8s --report summary cluster
Navigating Trivy’s code and documentation
The repository is primarily written in Go and organized around the scanning modules for each supported scanner type. The CLI logic is cleanly separated from the scanning implementations, making it easier to follow how commands map to scanner invocations.
The README and docs provide detailed explanations of each scanner’s capabilities and configuration options. For those interested in contributing or extending Trivy, the modular design means you can add new scanners or targets with a well-defined interface.
Key areas to explore in the repo include the cmd directory for CLI entry points and the scanner packages for vulnerability, secret, and misconfiguration detection. The integration points for Kubernetes and GitHub Actions offer insight into how Trivy fits into cloud-native CI/CD pipelines.
Verdict
Trivy is a practical, well-engineered tool for teams wanting a single binary to cover multiple security scanning needs. Its design balances breadth and usability, making it a solid choice for shift-left security in cloud-native environments.
If you need a quick, composable scanner that covers vulnerabilities, secrets, and misconfigurations across containers, filesystems, and Kubernetes, Trivy deserves serious consideration.
The tradeoff is that it may not replace more specialized scanners if you require deep, customized scanning rules or advanced compliance reporting.
Overall, Trivy’s approach to unifying diverse security scanners under one CLI is a good example of pragmatic Go CLI design and a useful addition to any security-conscious developer’s toolkit.
Related Articles
- SafestClaw: Combining simple AI setup with automated security scanning in Python — SafestClaw offers a Python CLI tool that simplifies AI model configuration and automates security scanning across projec
- dive: a terminal tool for Docker image layer inspection and optimization — dive provides an interactive TUI to analyze Docker/OCI image layers, identify wasted space, and optimize image size with
- DockMon: secure multi-host Docker monitoring with a lightweight Go agent and real-time metrics — DockMon offers secure multi-host Docker monitoring with a Go agent using mTLS, FastAPI backend, React frontend, real-tim
- OASIS: a Python CLI for AI-driven code vulnerability scanning with deterministic validation — OASIS is a Python CLI security auditor using LangGraph-orchestrated LLMs for two-phase scanning and deterministic valida
- reNgine: A Django-based framework for customizable web reconnaissance pipelines — reNgine is a Django-powered web reconnaissance framework using YAML configurations to orchestrate multiple security tool
→ GitHub Repo: aquasecurity/trivy ⭐ 34,858 · Go