Skip to content

Trivy

Trivy scans for vulnerabilities in dependencies, containers, and infrastructure as code.

Installation

# Download from https://github.com/aquasecurity/trivy/releases

Basic Usage

# File system scan (SCA)
trivy fs .

# IaC scan
trivy config .

# Container image scan
trivy image alpine:latest

Scenarios

# Scan a specific directory and ignore unfixed issues
trivy fs ./src --ignore-unfixed

# Limit output to high and critical
trivy fs . --severity HIGH,CRITICAL

# Scan a Dockerfile
trivy config ./Dockerfile

# Generate a SARIF report for CI
trivy fs . --format sarif --output trivy.sarif

Output

# JSON output
trivy fs . -f json -o trivy.json