Trivy is an open-source, all-in-one security scanner developed and maintained by Aqua Security, designed to find vulnerabilities, misconfigurations, secrets, and supply-chain risks across containers, filesystems, Kubernetes clusters, IaC files, and cloud accounts. Its key differentiator is breadth β a single binary replaces multiple specialized tools by combining CVE scanning, IaC misconfiguration detection, secret detection, SBOM generation, and license compliance in one pass. The mental model to keep in mind is that Trivy always works along two axes: a target (what you scan) and a scanner (what type of issue you look for) β mixing and matching them unlocks its full power.
What This Cheat Sheet Covers
This topic spans 16 focused tables and 113 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Scan Targets
Every Trivy invocation begins with a target subcommand. Understanding what each target scans β and which scanners it activates by default β prevents missed coverage and unexpected false negatives.
| Command | Example | Description |
|---|---|---|
trivy image nginx:1.27 | β’ Scans a container image from a registry, local Docker daemon, tarball, or OCI archive for vulnerabilities, misconfigurations, and secrets β’ Most common entry point for container security | |
trivy fs ./myproject | Scans a local filesystem or directory for vulnerabilities in dependency files, misconfigurations, and secrets. | |
trivy repo https://github.com/org/repo | Clones and scans a remote Git repository for vulnerabilities, misconfigurations, and secrets. | |
trivy k8s --report summary cluster | Scans a live Kubernetes cluster (current kubeconfig context), checking running workload images and K8s resource definitions. | |
trivy config ./terraform/ | Scans IaC configuration files only β Dockerfile, Kubernetes YAML, Terraform, CloudFormation, Helm, Ansible, etc. |