Skip to content


Trivy supports the following scanners for Conda packages.

Scanner Supported
Vulnerability -
License 1


Trivy detects packages that have been installed with Conda.


Trivy parses <conda-root>/envs/<env>/conda-meta/<package>.json files to find the version and license for the dependencies installed in your env.


Trivy supports parsing environment.yml2 files to find dependency list.


License detection is currently not supported.

environment.yml2 files supports version range. We can't be sure about versions for these dependencies. Therefore, you need to use conda env export command to get dependency list in Conda default format before scanning environment.yml2 file.


For dependencies in a non-Conda format, Trivy doesn't include a version of them.

  1. License detection is only supported for <package>.json files 

  2. Trivy supports both yaml and yml extensions.