Trivy
The most popular open-source security scanner for containers, code, and cloud
Founded
2019
Starting Price
Free
Category
Developer Tools
Last updated March 24, 2026
About Trivy
Trivy is a comprehensive open-source security scanner by Aqua Security that finds vulnerabilities, misconfigurations, secrets, and generates SBOMs across containers, Kubernetes, code repositories, and cloud environments. It's the most widely adopted open-source container scanner, known for its accuracy, speed, and zero-cost deployment in CI/CD pipelines.
Pros & Cons
Pros
- Completely free with no feature gates, scan limits, or contributor restrictions
- Comprehensive scanning across containers, dependencies, IaC, secrets, and Kubernetes
- Low false-positive rate compared to many commercial alternatives
- Simple CLI interface makes CI/CD integration fast — single binary, no server required
- Active open-source community with frequent vulnerability database updates
Key Features
Container Image Scanning
Scans container images for OS package and language-specific vulnerabilities with low false-positive rates
Dependency Scanning (SCA)
Detects vulnerabilities in open-source libraries across all major programming languages and package managers
IaC Misconfiguration Detection
Checks Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles for security misconfigurations
Secrets Detection
Finds hardcoded secrets, API keys, and credentials in code repositories and container images
SBOM Generation
Generates Software Bill of Materials in CycloneDX and SPDX formats for compliance and supply chain visibility
Kubernetes Cluster Scanning
Scans running Kubernetes clusters for vulnerabilities, misconfigurations, and exposed secrets
License Scanning
Identifies open-source licenses in dependencies for compliance management
Pricing
Open Source
Free
- All scanning capabilities
- Unlimited scans
- Unlimited users
- Container, code, IaC, and K8s scanning
- SBOM generation
Best For
CI/CD Pipeline Security Gate
Run Trivy as a pipeline step to block deployments when critical vulnerabilities are found in container images or dependencies.
Container Image Scanning
Scan container images in registries or during builds to ensure base images meet security standards before deployment.
Kubernetes Security Auditing
Scan running clusters to find vulnerabilities in deployed workloads, misconfigurations, and exposed secrets.
SBOM and Compliance
Generate Software Bill of Materials for regulatory compliance and supply chain security transparency.
Similar Tools
Featured In
#2
Snyk vs Trivy: Which Developer Security Tool Is Better for CI/CD? (2026)
The open-source powerhouse — choose Trivy when you need fast, free, and comprehensive scanning in CI/CD without per-user costs
#3
Best Tools for Security Researchers and Bug Bounty Hunters (2026)
Essential for security researchers targeting cloud-native infrastructure — the free standard for container and dependency vulnerability scanning
