Getting Started Guide
How to Install and Use Trivy
This guide covers installing Trivy and scanning container images, filesystems, and git repos for vulnerabilities, misconfigurations, and secrets.
Prerequisites
- -Linux, macOS, or Windows
- -Docker (for scanning container images)
Install Trivy
Install Trivy from your package manager or download the binary.
macOS
brew install trivyDebian/Ubuntu
sudo apt install trivyVerify
trivy versionScan a Container Image
Scan a Docker image for known vulnerabilities in OS packages and application dependencies.
Scan an image
trivy image python:3.11Critical and high only
trivy image --severity CRITICAL,HIGH python:3.11Scan a local image
trivy image myapp:latestNote: Trivy downloads vulnerability databases on first run. It scans both OS-level packages (apt, apk, rpm) and language-specific dependencies (pip, npm, gem, etc.).
Scan Your Project Directory
Scan a local filesystem for vulnerabilities in lock files, IaC misconfigurations, and exposed secrets.
Full filesystem scan
trivy fs .Vulnerabilities only
trivy fs --scanners vuln .Secrets only
trivy fs --scanners secret .Misconfig only (Terraform, K8s, Docker)
trivy fs --scanners misconfig .Scan a Git Repository
Scan a remote git repository without cloning it first.
Scan a GitHub repo
trivy repo https://github.com/owner/repoCI/CD Integration
Use Trivy in your build pipeline to catch vulnerabilities before deployment.
Exit with error on critical
trivy image --exit-code 1 --severity CRITICAL myapp:latestJSON output for parsing
trivy image --format json --output results.json myapp:latestSARIF for GitHub Security
trivy image --format sarif --output trivy.sarif myapp:latestNote: The --exit-code 1 flag makes Trivy return a non-zero exit code when it finds vulnerabilities at the specified severity, which fails your CI pipeline. This is how you gate deployments on security.