// the find
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Trivy is a security scanner that covers container images, filesystems, git repos, Kubernetes clusters, and VM images. It finds CVEs, secrets, IaC misconfigurations, and generates SBOMs. Target audience is platform/DevSecOps engineers who want a single tool across the container and Kubernetes stack instead of stitching together five different scanners.
- Genuinely broad coverage from one binary: OS packages, language dependencies (15+ ecosystems), IaC (Terraform, Helm, Dockerfile, CloudFormation, ARM), secrets, and SBOM generation without needing separate tools.
- Plugin system backed by Wazero (WebAssembly runtime) lets you ship custom scanners without native compilation per platform, which is a sensible portability tradeoff.
- First-class VEX support (OpenVEX, CSAF) for suppressing known-false-positive CVEs in a standards-based way rather than a proprietary ignore file, which matters when you need audit trails.
- Air-gap mode with self-hosted DB is well-documented and actually works; the client-server split lets you share a single DB download across many CI agents, reducing the per-job overhead.
- The go.mod has ~200 direct dependencies including full AWS/Azure/GCP SDKs, containerd, Helm, OPA, and more. Binary bloat aside, the transitive supply chain surface is enormous for a security tool that is supposed to be trusted infrastructure.
- Misconfiguration checks are bundled as a separate aquasecurity/trivy-checks repo pinned to a specific commit hash, meaning community-contributed policy fixes don't land in the main binary until someone manually bumps the dep—gap between upstream fix and users getting it can be weeks.
- False-positive rate on Java CVEs is notoriously high because JAR scanning relies on pom.properties/MANIFEST.MF metadata that vendors frequently mislabel; there's no built-in way to tune confidence thresholds, only blanket ignore rules.
- The Kubernetes scanner does real-time cluster enumeration via kubectl, which requires broad read permissions and can be slow on large clusters; there's no incremental/delta scanning, so every run is a full sweep regardless of what changed.