Aqua Trivy

Aqua Trivy is an open source security scanner designed for vulnerability detection and infrastructure as code (IaC) scanning in cloud native environments. The tool scans container images, filesystems, and Git repositories for security vulnerabilities and misconfigurations. Trivy provides vulnerability scanning for operating system packages and programming language packages, with results available through the Aqua Vulnerability Database. The scanner identifies both fixed and unfixed vulnerabilities across various operating systems including Alpine Linux and RHEL/CentOS. The tool supports IaC scanning capabilities for infrastructure templates and configurations. It can scan multiple target types including container images, tar archives, Podman containers, private and public registries, local filesystems, and Git repositories. Trivy operates without requiring database dependencies or middleware, functioning as a standalone binary that can be integrated into CI/CD pipelines. The scanner includes an auto-update capability for its vulnerability database and provides command-line filtering for critical CVEs. The tool supports multiple execution environments including Linux, macOS, FreeBSD, and OpenBSD. It can operate in air-gapped environments and scan distroless images. Results can be exported in various formats including JUnit XML, SARIF, and AWS Security Finding Format (ASFF). Trivy serves as the default scanner for GitLab's Container Scanning functionality, Artifact Hub, and Harbor. It is certified by RedHat as a vulnerability scanner.