Trivy Scan: Open Source Vulnerability Scanner for Containers and Code

Written By:
Founder & CTO
June 18, 2025

In the ever-evolving world of cloud-native development, containers and microservices have become the norm. However, they come with their own set of security challenges. Vulnerabilities in container images, misconfigurations in Kubernetes deployments, and secrets accidentally committed to code are all too common. This is where Trivy Scan, an open-source vulnerability scanner, emerges as a critical tool in every developer's DevSecOps arsenal.

Trivy is a lightweight, versatile, and developer-friendly security scanner built by Aqua Security. Designed to help developers and DevOps teams find vulnerabilities early in the development lifecycle, Trivy supports a wide array of scan targets including container images, file systems, Git repositories, Infrastructure as Code (IaC) configurations, Kubernetes manifests, Software Bill of Materials (SBOMs), and even cloud resources.

Let’s explore how Trivy Scan works, what makes it stand out from traditional scanning tools, and why developers, DevOps engineers, and security professionals are rapidly adopting it to secure modern software systems.

What Is Trivy?

Trivy is a comprehensive, open-source vulnerability scanner developed to simplify and accelerate container and code security checks. It supports scanning for:

  • Known vulnerabilities (CVEs) in operating system packages and language-specific dependencies

  • Infrastructure as Code (IaC) misconfigurations in files such as Kubernetes manifests, Dockerfiles, and Terraform templates

  • Exposed secrets such as API tokens, passwords, and SSH keys embedded in code or configurations

  • Software licenses that may pose legal or compliance risks

  • SBOM analysis to generate and verify Software Bill of Materials in formats like CycloneDX and SPDX

The primary focus of Trivy is to enable “shift-left” security, allowing vulnerabilities and misconfigurations to be detected early in the software development process. It is designed to be fast, simple to use, and easy to integrate into existing development workflows including CI/CD pipelines, IDEs, and cloud-native environments.

Why Developers love Trivy

Trivy isn’t just another tool in the security toolbox. It is purpose-built with developer experience in mind. Here’s why developers consistently choose Trivy Scan over more traditional solutions:

1. Blazing Fast Scans
Trivy is built for speed. Initial scans fetch vulnerability databases from Trivy's upstream sources, but subsequent scans are incredibly fast because of local caching. This means developers can run Trivy scans locally or in CI/CD pipelines without delaying deployments. It’s not uncommon for scans to complete in just a few seconds, even for moderately complex images or repositories.

2. Zero Setup and Stateless Design
Unlike traditional vulnerability scanners that require setup of backend services, databases, or agents, Trivy is completely stateless. It downloads updated vulnerability databases automatically when you run it, ensuring that your scans are based on the most recent information. This makes it perfect for use in ephemeral CI/CD environments or containerized workflows where persistent state is not an option.

3. Multi-layered Security Scanning
Trivy doesn’t just scan container images. It scans:

  • OS-level vulnerabilities (e.g., Debian, Ubuntu, Alpine, RHEL)

  • Application dependencies (npm, pip, Go modules, Maven, etc.)

  • Dockerfiles and Kubernetes manifests for misconfigurations

  • File systems and Git repos for hardcoded secrets

  • Software licenses for compliance issues

This multi-dimensional coverage makes Trivy Scan a one-stop solution for developers who want comprehensive visibility into their application’s security posture.

4. Ideal for Shift-Left Security
Security needs to start at the beginning of the development lifecycle, not at the end. Trivy integrates easily into local development environments, pre-commit hooks, GitHub Actions, GitLab CI, CircleCI, and Jenkins. This makes it possible for developers to detect and resolve vulnerabilities before the code even hits production.

5. Developer-Friendly Output
Trivy’s output is clean, readable, and actionable. Developers can customize output formats such as table, JSON, or SARIF, enabling seamless integration with IDEs, dashboards, and reporting systems. Trivy also supports filtering by severity, ignoring unfixed vulnerabilities, and customizing exit codes, all essential features for automated pipelines.

6. Small Footprint, Big Impact
Despite its extensive capabilities, Trivy’s binary size is around 30MB. It’s extremely lightweight and can be run in virtually any environment: as a CLI tool, in Docker containers, in Kubernetes, or as part of automated CI pipelines. Its small footprint and stateless design make it suitable for even constrained environments.

Key Features That Matter

Let’s take a deep dive into the major capabilities that set Trivy apart:

OS and Application Dependency Scanning
Trivy can scan container images for vulnerabilities in both base OS packages and application-level dependencies. For instance, it can identify outdated glibc libraries in Ubuntu or vulnerabilities in npm packages like lodash.

This dual-layer scanning is critical because many vulnerabilities hide in the dependencies installed via pip, npm, or Maven, not just in the base image itself.

Misconfiguration Detection in IaC
Misconfigured Dockerfiles, Kubernetes manifests, and Terraform modules are common attack vectors. Trivy helps you catch:

  • Containers running as root

  • Insecure port bindings

  • Privilege escalation permissions

  • Open ingress rules in cloud IaC

By scanning configuration files, Trivy promotes secure-by-default practices, helping developers and DevOps engineers avoid critical security missteps.

Secret Scanning
Trivy’s secret detection engine identifies credentials, API keys, tokens, and other secrets accidentally committed to source code. Secrets are matched using a growing set of built-in rules, and users can even define custom patterns using regular expressions. This ensures that sensitive information never makes it into public repositories or production containers.

License Compliance Scanning
License risks can create legal and operational challenges for enterprises. Trivy scans dependencies for their license types and flags high-risk ones like AGPL, GPLv3, or proprietary licenses. This empowers organizations to maintain compliance and avoid legal issues later in the product lifecycle.

SBOM Generation and Validation
Trivy can both generate and analyze SBOMs (Software Bill of Materials). These SBOMs detail every dependency your application includes. It supports major formats like SPDX and CycloneDX, making it easy to export and share with compliance teams, regulators, or customers.

How to Use Trivy: A Developer’s Workflow

Step 1: Installation
Installing Trivy is easy and varies depending on the platform:

macOS:
brew install aquasecurity/trivy/trivy  

Linux (Debian/Ubuntu):
sudo apt install trivy  

Docker (no installation required):
docker run --rm -v $(pwd):/project aquasec/trivy image myapp:latest  

Trivy is also available as a standalone binary, in Homebrew, and via GitHub releases.

Step 2: Scanning Container Images
Once installed, scanning is as simple as:

trivy image node:16-alpine

This command will scan both OS and application packages in the image, and return a categorized list of vulnerabilities, grouped by severity.

To restrict results to just HIGH and CRITICAL vulnerabilities:

trivy image --severity HIGH,CRITICAL --ignore-unfixed node:16-alpine

Step 3: Scanning File Systems or Git Repositories
Want to scan your local project or a remote GitHub repo?

trivy fs ./myproject

trivy repo https://github.com/user/project

Trivy will crawl through your project’s files and detect insecure code, secrets, and known vulnerabilities in dependencies.

Step 4: Scanning Kubernetes Configurations or IaC Files

trivy config ./k8s/deployment.yaml

This helps identify insecure container privileges, missing resource limits, and risky environment variable usage.

Step 5: Generating and Scanning SBOMs

trivy image --format cyclonedx --output sbom.json nginx:latest

trivy sbom sbom.json

SBOMs are increasingly used in regulated industries and supply chain security audits. Trivy makes this process effortless.

Step 6: Automating Scans in CI/CD Pipelines
Trivy offers native integrations with GitHub Actions, GitLab CI, Jenkins, and more. Example GitHub Action:

- uses: aquasecurity/trivy-action@master

  with:

    image-ref: myapp:latest

    format: table

    exit-code: 1

    severity: CRITICAL,HIGH

This will block the build if high-severity vulnerabilities are found, keeping production safe.

Developer Advantages Over Traditional Methods

Traditional vulnerability scanners often require setting up backend databases, configuring servers, or managing licenses. They’re resource-heavy, difficult to integrate, and built for security teams, not developers.

Trivy offers a better approach:

  • Speed + Portability: Runs anywhere, quickly

  • Comprehensive Coverage: One tool for containers, IaC, secrets, and SBOM

  • No Maintenance Overhead: Always uses the latest vulnerability database

  • Full Pipeline Integration: CI/CD ready

  • Friendly to Developers: Minimal output noise, customizable reporting, CLI-first

In short, Trivy brings enterprise-grade scanning into the hands of developers, without the enterprise complexity.

Real-World Use Case: Pre-Deployment Scan

Imagine you're about to release version 3.0.0 of your backend service. Before merging your feature branch, your GitHub workflow triggers a Trivy scan. It flags a CRITICAL CVE in your base Docker image and an outdated version of an npm package.

Instead of pushing vulnerable code to production, you patch the base image and bump the package version. Rerun the scan. Clean. Merge complete. Trivy saved your team from a potential production security incident.

Multiply this by every deployment, and you can see why Trivy has become a staple in developer-first security workflows.

Final Thoughts

Trivy Scan is more than just a tool, it's an enabler of secure software development. It gives developers, DevOps teams, and security engineers the visibility, speed, and simplicity needed to bake security into every stage of the SDLC. Whether you’re building containers, managing Kubernetes clusters, or writing Terraform for cloud infrastructure, Trivy has your back.

If you're looking for a container vulnerability scanner, a CI/CD-integrated code security tool, or a shift-left DevSecOps companion, Trivy is the answer.

Start scanning. Stay secure.