# Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more


![](https://github.com/aquasecurity/trivy/raw/main/docs/imgs/logo.png align="center")

Trivy ([pronunciation](https://github.com/aquasecurity/trivy#how-to-pronounce-the-name-trivy)) is a comprehensive and versatile security scanner. Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.

Targets (what Trivy can scan):

* Container Image
    
* Filesystem
    
* Git Repository (remote)
    
* Virtual Machine Image
    
* Kubernetes
    
* AWS
    

Scanners (what Trivy can find there):

* OS packages and software dependencies in use (SBOM)
    
* Known vulnerabilities (CVEs)
    
* IaC issues and misconfigurations
    
* Sensitive information and secrets
    
* Software licenses
    

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage](https://aquasecurity.github.io/trivy/latest/docs/coverage/) page.

To learn more, go to the [Trivy homepage](https://trivy.dev/) for feature highlights, or to the [Documentation site](https://aquasecurity.github.io/trivy) for detailed information.

## Quick Start

### Get Trivy

Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) page. Here are a few popular examples:

* `brew install trivy`
    
* `docker run aquasec/trivy`
    
* Download binary from [https://github.com/aquasecurity/trivy/releases/latest/](https://github.com/aquasecurity/trivy/releases/latest/)
    
* See [Installation](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) for more
    

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](https://aquasecurity.github.io/trivy/latest/ecosystem/) page. Here are a few popular examples:

* [GitHub Actions](https://github.com/aquasecurity/trivy-action)
    
* [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
    
* [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
    
* See [Ecosystem](https://aquasecurity.github.io/trivy/latest/ecosystem/) for more
    

### Canary builds

There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.

Please be aware: canary builds might have critical bugs, it's not recommended for use in production.

### General usage

```yaml
trivy <target> [--scanners <scanner1,scanner2>] <subject>
```

Examples:

```yaml
trivy image python:3.4-alpine
```

<details><summary>Result</summary><details><summary><span class="m-1"></span><span class="dropdown-caret"></span></summary></details></details>

```yaml
trivy fs --scanners vuln,secret,misconfig myproject/
```

<details><summary>Result</summary><details><summary><span class="m-1"></span><span class="dropdown-caret"></span></summary></details></details>

```yaml
trivy k8s --report summary cluster
```

<details><summary>Result</summary><p><a target="_blank" href="https://github.com/aquasecurity/trivy/blob/main/docs/imgs/trivy-k8s.png"><img src="https://github.com/aquasecurity/trivy/raw/main/docs/imgs/trivy-k8s.png" alt="k8s summary" /></a></p></details>

## FAQ

### How to pronounce the name "Trivy"?

`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.

## Want more? Check out Aqua

If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
In addition check out the [https://aquasec.com](https://aquasec.com/) website for more information about our products and services. If you'd like to contact Aqua or request a demo, please use this form: [https://www.aquasec.com/demo](https://www.aquasec.com/demo)

## Community

Trivy is an [Aqua Security](https://aquasec.com/) open source project.  
Learn about our open source work and portfolio [here](https://www.aquasec.com/products/open-source-projects/).  
Contact us about any matter by opening a GitHub Discussion [here](https://github.com/aquasecurity/trivy/discussions) Join our [Slack community](https://slack.aquasec.com/) to stay up to date with community efforts.

Please ensure to abide by our [Code of Conduct](https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md) during all interactions.
