Images
>aquasec-trivy

aquasec-trivy

A comprehensive open-source vulnerability scanner for container images, file systems, and IaC configurations.

grype
grype
clair
clair
dockle
dockle
snyk
snyk

What is aquasec-trivy?

The Trivy image packages Trivy, an open-source vulnerability and misconfiguration scanner created by Aqua Security. Trivy is designed to detect vulnerabilities (CVEs) in container images, operating system packages, and application dependencies, as well as configuration issues in infrastructure-as-code files like Kubernetes manifests and Terraform.

Trivy is widely used in CI/CD pipelines, local development, and production environments to provide security feedback early and continuously. It supports output in multiple formats (table, JSON, SARIF, SPDX), making it easy to integrate with developer tools, reporting dashboards, or compliance systems.

Because of its broad coverage and simple CLI, Trivy has become a go-to tool for organizations seeking to embed security scanning without heavy overhead.

How to use this image

The Trivy image can be run locally, in CI, or integrated into security workflows.

Examples:

<code># Scan a local container image for vulnerabilities
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image nginx:latest<code>

<code># Scan a directory (e.g., application source code and dependencies)
docker run --rm -v $PWD:/app aquasec/trivy fs /app<code>

<code># Scan Kubernetes manifests for misconfigurations
docker run --rm -v $PWD:/manifests aquasec/trivy config /manifests<code>

<code># Output results as JSON
docker run --rm aquasec/trivy image --format json nginx:latest</code>

By default, Trivy automatically updates its vulnerability database on first run, ensuring up-to-date scan results.

{{cta2}}

Image variants

The Trivy image is typically published in these forms:

aquasec/trivy:<version>

Version-pinned images (e.g., aquasec/trivy:0.55.0) are recommended for production use to ensure stable behavior.

aquasec/trivy:latest

Tracks the most recent stable release of Trivy. Good for quick testing but less predictable for production pipelines.

aquasec/trivy:dev / aquasec/trivy:nightly

Built from development branches or nightly builds. Useful for contributors or teams testing upcoming features, but not recommended for production.

Interested in base images that start and stay clean?

This is a not a valid email
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Interested in a CVE-free aquasec-trivy?

Pull echo’s aquasec-trivy image for a CVE-free base. Automatically patched and hardened for you.

Chat with a product expert

Chat with a product expert