Trivy is an open-source project developed by Aqua Security that scans for vulnerabilities and configuration issues in container images, file systems, and Git repositories.
It detects vulnerabilities of operating system packages, such as Alpine, RHEL, and CentOS, and language-specific packages, such as Bundler, Composer, npm, yarn, and more.
It can also scan Infrastructure as Code (IaC) files like Terraform, Dockerfile, and Kubernetes. This allows users to detect configuration issues that could make deployments vulnerable and open them up to attacks.
According to Aqua Security, Trivy is simple and fast to use, with the ability to finish a scan within seconds. It also doesn’t have any prerequisites that are needed before installing it.
In order to perform a scan, users just need to specify a target, such as the image name of the container.
Earlier this year the project appeared in the CNCF’s End User Technology Radar on DevSecOps in the Assess category, alongside other projects like Cilium, Harness, Sonatype Nexus, HashiCorp Sentinel, GitHub Actions, and Linkerd.
