Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

Trivy has different scanners that look for different security issues, and different targets where it can find those issues.


  • Container Image
  • Filesystem
  • Git repository (remote)
  • Kubernetes cluster or resource


  • OS packages and software dependencies in use (SBOM)
  • Known vulnerabilities (CVEs)
  • IaC misconfigurations
  • Sensitive information and secrets

It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. See Integrations for details.

Much more scanners and targets are coming up. Join the Slack channel to stay up to date, ask questions, and let us know what features you would like to see.

Please see LICENSE for Trivy licensing information.

Demo: Vulnerability Detection
Demo: Misconfiguration Detection
Demo: Secret Detection