Skip to content


None, Trivy uses Google Cloud SDK. You don't need to install gcloud command.


Credential file must have the roles/storage.objectViewer permissions. More information can be found in Google's documentation

JSON File Format

The JSON file specified should have the following format provided by google's service account mechanisms:

  "type": "service_account",
  "project_id": "your_special_project",
  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
  "client_email": "",
  "client_id": "1234567890",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": ""


If you want to use target project's repository, you can set them via GOOGLE_APPLICATION_CREDENTIALS.

# must set TRIVY_USERNAME empty char
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json


You can test credentials in the following manner (assuming they are in /tmp on host machine).

docker run -it --rm -v /tmp:/tmp\
  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
  aquasec/trivy image