Trivy is a comprehensive open-source security scanner by Aqua Security that has become the de facto standard for container and infrastructure security scanning. With over 24,000 GitHub stars, it covers the broadest range of scanning targets in a single tool.
Trivy scans container images, file systems, Git repositories, Kubernetes clusters, and virtual machine images for known vulnerabilities in OS packages and language-specific dependencies. It also detects IaC misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles.
Additional capabilities include secrets detection for finding leaked credentials, license scanning for compliance, and SBOM generation in CycloneDX and SPDX formats. VEX support allows filtering out vulnerabilities that are not applicable to your specific deployment.
The tool runs as a standalone CLI with zero configuration needed — just point it at a target and get results. It integrates with CI/CD pipelines through GitHub Actions, GitLab CI, Jenkins, and other platforms. Enterprise features are available through Aqua Security's commercial platform.