Trivy

Open-source vulnerability scanner for containers, file systems, IaC, and Kubernetes with zero-config setup

ToolOpen Source Security ScannerOpen SourceSelf-hosted

Pricing: Free (open source) / Aqua Platform for enterprise features

Reviewed by the CyberSecTool editorial team against the public sources cited below · Last reviewed February 2026 · How we review listings

What is Trivy?

Trivy is an open-source, comprehensive vulnerability scanner developed by Aqua Security that covers container images, file systems, Git repositories, Kubernetes clusters, and infrastructure-as-code configurations. Trivy stands out for its simplicity, speed, and breadth of scanning targets, requiring zero configuration to get started. It has become a widely adopted open-source scanner for container images in CI/CD pipelines and is widely adopted in Kubernetes-native environments for runtime vulnerability assessment.

Best for: DevOps and platform engineering teams that need a fast, open-source vulnerability scanner for containers and Kubernetes environments with zero configuration overhead
Pros
  • Completely free and open source with no licensing costs
  • Zero-configuration setup with a single binary installation
  • Extremely fast scanning suitable for every CI/CD pipeline run
  • Broadest scanning target coverage of any open-source scanner
  • De facto standard for container image scanning in Kubernetes environments
Considerations
  • No web dashboard or centralized management in open-source version
  • Vulnerability database updates rely on community and Aqua research
  • Lacks automated fix PR generation and remediation workflow
  • No dedicated SAST engine for deep code-level vulnerability analysis
  • Enterprise features require paid Aqua Platform subscription

Reported in public reviews and vendor documentation. See sources below.

Key Features

Container image vulnerability scanning
File system and Git repository scanning
Infrastructure-as-code misconfiguration detection
Kubernetes cluster scanning
SBOM generation and scanning
Secret detection in code and configurations
License scanning for open-source dependencies
Integration with CI/CD platforms and container registries

Are you Trivy? Improve this listing with screenshots, case studies and more.

Sources & references

Where the information on this listing comes from. Always verify pricing and capabilities against the vendor before a purchasing decision.

Spot an error, or do you represent Trivy? Request a correction.