Trivy

Trivy is an open-source comprehensive security scanner developed by Aqua Security that detects vulnerabilities, misconfigurations, secrets, SBOM components, and license issues across container images, filesystems, Git repositories, virtual machines, Kubernetes clusters, and cloud environments by scanning operating system packages, language-specific dependencies, and infrastructure as code across 30+ programming languages and platforms. The tool integrates seamlessly into CI/CD pipelines with automatic database updates every six hours, support for air-gapped environments, and multiple output formats including JSON, SARIF, and CycloneDX/SPDX SBOM generation, enabling developers and security teams to perform fast, accurate security assessments with minimal false positives throughout the software development lifecycle from code to cloud.