explaingit

aquasecurity/trivy

Analysis updated 2026-06-20

34,873GoAudience · ops devopsComplexity · 3/5Setup · easy

TLDR

Trivy is a single-command security scanner that checks container images, code repos, filesystems, and Kubernetes clusters for known vulnerabilities, leaked secrets, and misconfigurations before they reach production.

Mindmap

mindmap
  root((repo))
    What it scans
      Container images
      Git repositories
      Kubernetes clusters
      Terraform files
    What it finds
      Known CVEs
      Leaked secrets
      Misconfigurations
      License issues
    Integrations
      GitHub Actions
      Kubernetes operator
      VS Code extension
    Output
      Vulnerability report
      SBOM inventory
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Docker container image for known CVE vulnerabilities before deploying it to production

USE CASE 2

Add a CI step that blocks pull requests containing accidentally committed API keys or passwords

USE CASE 3

Audit Terraform or Kubernetes YAML files for security misconfigurations before applying them to a cluster

USE CASE 4

Generate a Software Bill of Materials to track all dependencies and their open-source licenses across a project

What is it built with?

Go

How does it compare?

aquasecurity/trivyschollz/crocunknwon/the-way-to-go_zh_cn
Stars34,87334,93535,105
LanguageGoGoGo
Setup difficultyeasyeasyeasy
Complexity3/52/51/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Install via Homebrew or download the single binary, scanning a Kubernetes cluster requires kubeconfig access.

In plain English

Trivy is a security scanning tool that checks your software and infrastructure for known problems before they reach production. The central challenge in modern software development is that every container image, code repository, and cloud configuration is a potential source of security vulnerabilities, leaked secrets, or misconfigured settings, and manually reviewing all of them is not practical. Trivy automates that review in a single command. The tool works by accepting a target, a container image, a local filesystem directory, a remote Git repository, a virtual machine image, or an entire Kubernetes cluster, and running a set of scanners against it. The vulnerability scanner checks software packages and libraries against a database of known CVEs (Common Vulnerabilities and Exposures), which are publicly disclosed security flaws. The secrets scanner looks for things like API keys, passwords, or tokens that were accidentally committed to code. The misconfiguration scanner reviews Infrastructure-as-Code files such as Terraform or Kubernetes manifests for settings that deviate from security best practices. Trivy can also produce a Software Bill of Materials (SBOM), which is a complete inventory of every dependency in a project, along with their open-source licenses. You would use Trivy in a DevSecOps pipeline, meaning a software delivery process that includes security checks alongside development. It plugs into GitHub Actions, works as a Kubernetes operator for continuous cluster monitoring, and has a VS Code extension for checking code as you write it. It is written in Go, so it ships as a single binary with no runtime dependencies, and it is available via common package managers like Homebrew or as a Docker image.

Copy-paste prompts

Prompt 1
Show me the Trivy command to scan a Docker image for critical and high severity CVEs and display the results as a table.
Prompt 2
Help me add a Trivy secrets scan step to a GitHub Actions workflow that fails the build if any API keys or passwords are detected.
Prompt 3
Using Trivy, how do I scan a Terraform directory for misconfigured IAM policies or overly permissive S3 bucket settings?
Prompt 4
Show me how to deploy Trivy as a Kubernetes operator so it continuously monitors my cluster's running workloads for newly disclosed CVEs.

Frequently asked questions

What is trivy?

Trivy is a single-command security scanner that checks container images, code repos, filesystems, and Kubernetes clusters for known vulnerabilities, leaked secrets, and misconfigurations before they reach production.

What language is trivy written in?

Mainly Go. The stack also includes Go.

How hard is trivy to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is trivy for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub aquasecurity on gitmyhub

Verify against the repo before relying on details.