Welcome to Trivy

    Features

    • Detect comprehensive vulnerabilities
      • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
      • Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, and NuGet)
    • Simple
      • Specify only an image name or artifact name
      • See and Examples
    • Fast
      • Unlike other scanners that take long to fetch vulnerability information (~10 minutes) on the first run, and encourage you to maintain a durable vulnerability database, Trivy is stateless and requires no maintenance or preparation.
    • Easy installation
      • apt-get install, and brew install is possible (See )
      • No pre-requisites such as installation of DB, libraries, etc.
    • High accuracy
      • Especially Alpine Linux and RHEL/CentOS
      • Other OSes are also high
    • DevSecOps
      • Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
    • Support multiple formats
      • container image
        • A local image in Docker Engine which is running as a daemon
        • A local image in Podman (>=2.0) which is exposing a socket
        • A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
        • A tar archive stored in the docker save / formatted file
        • An image directory compliant with OCI Image Format
      • local filesystem
      • remote git repository