Trivy is a comprehensive and versatile open-source security scanner from Aqua Security that finds vulnerabilities, misconfigurations, secrets, and SBOM in containers, Kubernetes, code repositories, clouds, and more. Trivy runs as a CLI tool, in client/server mode with an HTTP API, and as a Kubernetes Operator that continuously scans clusters generating security reports as native Kubernetes Custom Resources.
Website: https://trivy.dev/ GitHub: https://github.com/aquasecurity/trivy
HTTP API exposed when running Trivy in client/server mode. Server maintains vulnerability databases and exposes health check and version endpoints on port 4954.
- Documentation: Client/Server Mode
- OpenAPI: openapi/trivy-server-openapi.yml
Kubernetes-native operator that auto-scans clusters and generates security reports as CRDs. Defines 12 custom resource types.
- Documentation: https://aquasecurity.github.io/trivy-operator/
- GitHub: https://github.com/aquasecurity/trivy-operator
Primary interface for scanning container images, filesystems, Git repos, Kubernetes clusters, VMs, and SBOMs. Outputs JSON, SARIF, CycloneDX, SPDX, and table formats.
- Documentation: https://trivy.dev/latest/docs/
| Spec | Description |
|---|---|
| trivy-server-openapi.yml | Trivy server mode HTTP API |
| CRD | Description |
|---|---|
| aquasecurity.github.io_vulnerabilityreports.yaml | Workload vulnerability reports |
| aquasecurity.github.io_configauditreports.yaml | Kubernetes config audit reports |
| aquasecurity.github.io_exposedsecretreports.yaml | Exposed secrets detection reports |
| aquasecurity.github.io_sbomreports.yaml | Software Bill of Materials reports |
| aquasecurity.github.io_clustercompliancereports.yaml | Cluster compliance reports |
| aquasecurity.github.io_clusterconfigauditreports.yaml | Cluster-wide config audit reports |
| aquasecurity.github.io_clusterinfraassessmentreports.yaml | Cluster infrastructure assessments |
| aquasecurity.github.io_clusterrbacassessmentreports.yaml | Cluster RBAC assessments |
| aquasecurity.github.io_clustersbomreports.yaml | Cluster SBOM reports |
| aquasecurity.github.io_clustervulnerabilityreports.yaml | Cluster vulnerability reports |
| aquasecurity.github.io_infraassessmentreports.yaml | Infrastructure assessment reports |
| aquasecurity.github.io_rbacassessmentreports.yaml | RBAC assessment reports |
| Schema | Description |
|---|---|
| trivy-vulnerability-report-schema.json | Vulnerability report with CVEs |
| trivy-scan-result-schema.json | Single scan result per target layer |
| File | Description |
|---|---|
| trivy-scan-structure.json | Structure documentation for scan objects |
| File | Description |
|---|---|
| trivy-context.jsonld | Linked data context for Trivy security vocabulary |
| Ruleset | Description |
|---|---|
| trivy-rules.yml | API linting rules for Trivy server API |
| Capability | Description |
|---|---|
| security-scanning.yaml | Security scanning workflow |
Shared Definitions:
| File | Description |
|---|---|
| shared/trivy-server.yaml | Trivy server API consumed definition |
| Example | Description |
|---|---|
| trivy-vulnerability-report-example.json | Container image vulnerability scan output |
| trivy-health-check-example.json | Trivy server health check |
| File | Description |
|---|---|
| trivy-vocabulary.yml | Domain vocabulary for security scanning concepts |
- Aqua Security GitHub: https://github.com/aquasecurity
- GitHub Action: https://github.com/aquasecurity/trivy-action
- VS Code Extension: https://github.com/aquasecurity/trivy-vscode-extension
- Helm Chart: https://artifacthub.io/packages/helm/aqua/trivy-operator
- Docker Image: https://hub.docker.com/r/aquasec/trivy
- Releases: https://github.com/aquasecurity/trivy/releases
Profiled: 2026-05