Using trivy - SethBodine/audit-tools GitHub Wiki
Trivy is a comprehensive vulnerability and misconfiguration scanner. It covers container images, filesystems, Git repositories, Kubernetes clusters, and infrastructure as code. It detects OS package vulnerabilities, application dependency issues, exposed secrets, and IaC misconfigurations.
- Scans container images, filesystems, repos, Kubernetes, and IaC
- Detects CVEs, misconfigurations, exposed secrets, and license issues
- Supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfile
- Outputs to table, JSON, SARIF, CycloneDX, and SPDX
No setup required. Run from the shell.
trivy image <image-name>:<tag> # e.g. trivy image nginx:latest
trivy image --severity HIGH,CRITICAL <image-name>
trivy image -f json -o /output/trivy-image.json <image-name>trivy filesystem <path> # e.g. trivy filesystem .
trivy filesystem --scanners vuln,secret <path>trivy repo <repo-url> # e.g. trivy repo https://github.com/org/repo
trivy repo . # scan current directory as a repotrivy config <path> # scan IaC files for misconfigurations
trivy config --severity HIGH,CRITICAL <path>trivy config <terraform-directory>trivy config <k8s-manifests-directory>
trivy filesystem <k8s-manifests-directory>trivy k8s --report summary cluster
trivy k8s --report all clustertrivy filesystem --scanners secret <path>
trivy image --scanners secret <image-name>trivy image --format cyclonedx <image-name> > /output/sbom.jsonTBC