Skip to content


Trivy detects three types of security issues:

  • Vulnerabilities
    • OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    • Language-specific packages (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
  • Misconfigurations
    • Kubernetes
    • Docker
    • Terraform
    • CloudFormation
    • more coming soon
  • Secrets
    • AWS access key
    • GCP service account
    • GitHub personal access token
    • etc.

Trivy can scan three different artifacts:

It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See Integrations for details.