Skip to content

Bitnami Images


Scanning results may be inaccurate.

While it is not an OS, this page describes the details of the container images provided by Bitnami. Bitnami images are based on Debian. Please see the Debian page for OS packages.

Trivy supports the following scanners for Bitnami packages.

Scanner Supported

The table below outlines the features offered by Trivy.

Feature Supported
Unfixed vulnerabilities -
Dependency graph -


Trivy analyzes the SBOM information contained within the container images provided by Bitnami. The SBOM files are located at /opt/bitnami/<component>/.spdx-<component>.spdx.


Since Bitnami has its own vulnerability database, it uses these for vulnerability detection of applications and packages distributed by Bitnami.


Trivy does not support vulnerability detection of independently compiled binaries, so even if you scan container images like nginx:1.15.2, vulnerabilities in Nginx cannot be detected. This is because main applications like Nginx are not installed by the package manager. However, in the case of Bitnami images, since these SBOMs are stored within the image, scanning bitnami/nginx:1.15.2 allows for the detection of vulnerabilities in Nginx.

Fixed Version

Trivy refers to the Bitnami database. Please note that these may differ from the upstream fixed versions.


Similar to Fixed versions, it follows Bitnami's vulnerability database.


Trivy supports the following vulnerability statuses for Bitnami packages.

Status Supported
Under Investigation
Will Not Fix
Fix Deferred
End of Life


If licenses are included in the SBOM distributed by Bitnami, they will be used for scanning.