Security scanner for container images, repositories, filesystems, Kubernetes, and SBOMs, with vulnerability, misconfiguration, secret, and license checks.
$brew install trivy
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
Trivy is Aqua Security's CLI for scanning software artifacts and infrastructure targets for security findings. It covers container images, filesystems, Git repositories, Kubernetes clusters, VM images, and SBOM documents, and can emit compliance or supply-chain reports for CI and remediation workflows.
What It Enables
- Scan container images, local filesystems, Git repositories, VM images, and SBOM documents for vulnerabilities, secrets, licenses, and exposed package inventories.
- Check Terraform, Helm, Kubernetes, Dockerfile, CloudFormation, Azure ARM, and Ansible configs before deploy, or scan live Kubernetes clusters with compliance report modes.
- Export findings as JSON, SARIF, CycloneDX, SPDX, GitHub dependency snapshots, or converted reports for CI gates, dashboards, and attestations.
Agent Fit
- Non-interactive subcommands, target-specific flags, and
--exit-codecontrols make it easy to wire into CI, pre-deploy checks, and retryable agent loops. --format jsonplus SARIF, CycloneDX, and SPDX outputs give agents machine-readable results, and the reporting flags document which behaviors are format-specific.- Environment access still matters: first runs may download vulnerability databases and check bundles, some targets need registry or cluster credentials, and the
kubernetessurface is still marked experimental.
Caveats
- Default output is a human table, so automation should request an explicit structured format.
- Coverage and accepted formats vary by subcommand; for example
kubernetesonly supports table, JSON, and CycloneDX output, andconvertdoes not support AWS or Kubernetes JSON reports.