Trivy
Comprehensive open source vulnerability and misconfiguration scanner from Aqua Security. Scans container images, filesystems, Git repositories, virtual machine images, Kubernetes clusters, and Infrastructure as Code files for OS package vulnerabilities (CVEs), application dependency vulnerabilities, secrets, misconfigurations, and license compliance. Generates SBOMs in SPDX and CycloneDX formats. Runs as a CLI tool or Go library with no REST API server for the OSS version.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Trivy is a security scanner — no auth for local CLI. Trivy Server mode (for CI) can be secured with token. Open-source Aqua Security tool. Used to scan container images, filesystems, IaC — results contain sensitive vulnerability data.
⚡ Reliability
Best When
An agent needs comprehensive vulnerability scanning across container images, filesystems, and IaC in a single tool without API rate limits or auth complexity — especially in CI/CD pipeline integration.
Avoid When
You need a managed SaaS scanning API with centralized result storage, or require real-time runtime threat detection.
Use Cases
- • Scanning container images in CI/CD pipelines for CVEs before push to registry
- • Generating SBOMs (Software Bill of Materials) for supply chain compliance
- • Scanning Kubernetes cluster configurations for security misconfigurations
- • Detecting secrets and credentials accidentally committed to repositories
- • Scanning IaC (Terraform, CloudFormation, Helm) for security policy violations
Not For
- • Runtime container monitoring — Trivy is point-in-time scanning, not continuous
- • Network security or endpoint protection
- • Organizations needing a centralized SaaS scanning dashboard without self-hosting
- • DAST or dynamic application testing — static analysis only
Interface
Authentication
No authentication required for local scanning. Registry credentials (username/password or token) required for scanning private container registries. Aqua Security platform integration available for enterprise reporting.
Pricing
Core tool is completely free and open source. Aqua Security offers commercial add-ons for centralized management, runtime security, and enterprise support.
Agent Metadata
Known Gotchas
- ⚠ Vulnerability database must be downloaded on first run (~150MB) — cold start can take minutes in CI/CD; cache the DB between runs
- ⚠ Exit code 1 means vulnerabilities found (not an error) — agents must distinguish 'scan found issues' from 'scan failed'
- ⚠ Image scanning requires Docker daemon access or image tarball — not always available in containerized agent environments
- ⚠ Trivy DB updates daily — stale DB cache produces outdated results without warning
- ⚠ Java ecosystem scanning (JAR/WAR) requires extracting nested archives — can be slow and memory-intensive
- ⚠ False positive suppression uses a .trivyignore file that must be present on disk — not injectable at runtime
- ⚠ SBOM generation and vulnerability scanning are separate invocations — agents cannot do both in a single command
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Trivy.
Scores are editorial opinions as of 2026-03-06.