Trivy
February 22, 2026
What it is
Trivy scans container images, filesystems, IaC (Terraform, etc.), and SBOMs for vulnerabilities and misconfigurations. CLI and CI-friendly.
Usage
Scan images in CI; scan repos for secrets and misconfig; generate SBOMs; block vulnerable builds.
Pros and cons
| Pros | Cons |
|---|---|
| Fast and comprehensive | False positives need tuning |
| Containers, IaC, SBOM | |
| Easy CI integration | |
| No daemon |
Alternatives
Snyk, Grype, Clair. Why Trivy: Broad coverage (CVEs, config, secrets) and simple CLI/CI usage.
Links
- Homepage: https://trivy.dev/
- Documentation: https://aquasecurity.github.io/trivy/
- Source: https://github.com/aquasecurity/trivy