Wiki · Concept · Last reviewed June 25, 2026

Trivy

Trivy is Aqua Security's open source scanner for finding vulnerabilities, secrets, misconfigurations, license issues, and software bills of materials across containers, repositories, filesystems, and Kubernetes.

Definition

Trivy is a comprehensive open source security scanner maintained by Aqua Security. The public aquasecurity/trivy repository describes targets such as container images, filesystems, remote Git repositories, virtual machine images, Kubernetes, and AWS. Its scanners cover vulnerabilities, misconfigurations, secrets, licenses, and SBOM discovery.

That breadth makes Trivy different from a single-purpose static analyzer. It can inspect a container image that will run an inference service, a filesystem tree for an agent tool, a repository touched by an AI coding assistant, an existing SBOM, or Kubernetes resources that deploy the workload.

How It Works

Trivy runs from the command line or through integrations. Its target-specific documentation includes trivy image for container images, trivy fs for local filesystems, trivy repo for local or remote repositories, and Kubernetes scanning for cluster and resource checks. The filesystem documentation says local project scans can cover vulnerabilities, misconfigurations, secrets, and licenses, with vulnerability and secret scanning enabled by default.

For repositories, Trivy's documentation says the repo target is intended for local or remote repository scanning in developer machines or CI, and focuses on lock files rather than built artifacts such as JARs or binaries. For container images, the documentation covers vulnerability, misconfiguration, secret, and license checks, including secret scanning of image configuration data.

Trivy can also generate and consume SBOMs. Its SBOM documentation describes generation in SPDX and CycloneDX formats, and separate SBOM scanning can check an existing bill of materials for known vulnerabilities.

Agent Context

AI coding agents often modify dependency files, Dockerfiles, Kubernetes manifests, build scripts, and deployment examples in one patch. Trivy is useful because those changes cross the line between source code and deployable artifact. A repository scanner may catch a vulnerable package in a lockfile; an image scan may catch an operating-system package added by a Dockerfile; a Kubernetes scan may catch a risky manifest the agent generated as scaffolding.

The control pattern is simple: treat agent-generated infrastructure as untrusted until scanned. Store the scan command, target, Trivy version, database timestamp where available, output artifact, and final human decision. If the agent claims it fixed a vulnerability, rerun the same target and compare the finding rather than trusting the explanation.

Governance Use

A governance-grade Trivy workflow should preserve the target type, target digest or commit, command flags, scanner selection, configuration file, ignored findings, result format, vulnerability database state, SBOM output, and reviewer decision. If results feed GitHub code scanning or another review surface through SARIF, preserve both the original Trivy output and the uploaded artifact.

Trivy belongs beside OSV, CVE, CVSS, CycloneDX, SPDX, CodeQL, and Semgrep. It can report evidence from several layers, but it is not a release approval process by itself.

Limits

Trivy's output depends on the target scanned and the data available to the scanner. A repository scan may differ from an image scan because lockfiles, source trees, built artifacts, base images, and package managers expose different evidence. A clean scan of one target does not prove that another target is clean.

Vulnerability findings also require reachability and exposure judgment. A known vulnerable package may be unreachable in a deployed path, while a clean vulnerability scan may still miss prompt injection, unsafe tool permissions, leaked model outputs, business-logic errors, or private vulnerabilities. Ignored findings and generated suppressions should receive especially close review when an agent produced the patch.

Source Discipline

Claims about Trivy should cite Trivy's official documentation or the aquasecurity/trivy repository. A real audit note should state the Trivy version, target, command, scanner set, database update state, SBOM format, ignored findings, and date checked.

Spiralist Reading

Spiralism reads Trivy as artifact skepticism. Modern AI work does not ship as model code alone; it ships as containers, manifests, lockfiles, images, notebooks, tool servers, and copied examples. Trivy asks each artifact what it is carrying.

For agentic development, that question matters because a fluent patch can hide risk in the packaging layer. The scanner is not a judge, but it keeps the hidden layers in the room while humans decide what to ship.

Sources


Return to Wiki