Software Development & Delivery · Public

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Best fitUsers who want source-backed project understanding before installing it.

Check whether this project matches your task before installing it.

What it can doskill, recipe, host_instruction, eval, preflight

Review the portable capability path.

Before continuingVerify in a sandbox

Do not treat a preview pack as a proven local install.

GitHub snapshot36k stars

474 forks · 535 contributors

Doramagic.ai Last verification date: 2026-06-19 Verification method: source evidence, semantic profile, public page gate, and static build acceptance.

Official first step Read manual preview Source repository

Publication status · 2026-06-19

What is trivy?

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Best fit: Users who want source-backed project understanding before installing it.
Not for: Not for users who want to skip sandbox verification or cannot accept configuration, permission, or maintenance overhead.
Capability added to an AI workflow: skill, recipe, host_instruction, eval, preflight
First safe verification step: Verify the smallest path in an isolated environment and keep a rollback path.
Verification state: source, Quick Start, and sandbox install checks are recorded as passed.
Top risk: May increase setup, validation, or first-run risk for the user.
Evidence base: https://github.com/aquasecurity/trivy, https://github.com/aquasecurity/trivy#readme, Human Manual, Pitfall Log

Quick decision

Use this section to decide whether the project is worth a deeper read.

Best forUsers who want source-backed project understanding before installing it.

Match the project to your task before installing it.

Capabilityskill, recipe, host_instruction, eval, preflight

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Repositoryaquasecurity/trivy

36k stars · 474 forks

What it can do

Translate the upstream project into concrete capabilities the user can judge before installing.

Trivy Overview and Getting Started

Related topics: System Architecture and Core Components, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC, Configuration, Output Formats, Reporting, Pl...

Source: https://github.com/aquasecurity/trivy / Human Manual

System Architecture and Core Components

Related topics: Trivy Overview and Getting Started, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC, Configuration, Output Formats, Reporting, Plugins...

Source: https://github.com/aquasecurity/trivy / Human Manual

Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC

Related topics: Trivy Overview and Getting Started, System Architecture and Core Components, Configuration, Output Formats, Reporting, Plugins, and Operations

Source: https://github.com/aquasecurity/trivy / Human Manual

Configuration, Output Formats, Reporting, Plugins, and Operations

Related topics: Trivy Overview and Getting Started, System Architecture and Core Components, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC

Source: https://github.com/aquasecurity/trivy / Human Manual

Doramagic Pitfall Log

Source-linked risks stay visible on the manual page so the preview does not read like a recommendation.

Source: Doramagic discovery, validation, and Project Pack records

Sources: https://github.com/aquasecurity/trivy, Human Manual, Project Pack evidence, and downstream validation signals.

Community Discussion Evidence

Project-level external discussion stays visible on the detail page, not only inside the manual.

Stars36k stars

Forks474 forks

Contributors535 contributors

Licenseunknown

Community Discussion Evidence

12 source-linked items

Review these external discussions before using trivy with real data or production workflows. They are review inputs, not standalone proof that the project is production-ready.

01
--no-color
github / github_issue
02
feat(misconf): add CloudFront standard logging v2 support to AVD-AWS-001
github / github_issue
03
bug: project dependencies are not extracted from pnpm-lock.yaml with mul
github / github_issue
04
v0.71.1
github / github_release
05
v0.71.0
github / github_release
06
v0.70.0
github / github_release
07
v0.69.3
github / github_release
08
v0.69.2
github / github_release
09
v0.26.0
github / github_release
10
v0.25.4
github / github_release
11
v0.25.3
github / github_release
12
v0.25.2
github / github_release

How to start

Only source-backed commands are shown here. Verify them in an isolated environment first.

Try the prompt first

Test the workflow without installing the upstream project.

preview

Read the Human Manual

Understand inputs, outputs, limits, and failure modes.

manual

Take context to your AI host

Use the compiled assets in your preferred AI environment.

context

Run sandbox verification

Confirm install commands and rollback before using a primary environment.

verify

docker run aquasec/trivy

Official start command · https://github.com/aquasecurity/trivy#readme · verified: yes

Human Manual

The English page must expose the real manual, not a short placeholder.

8+ sections · Human Manual

trivy Manual

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Open the full manual

https://github.com/aquasecurity/trivy Project Manual
Table of Contents
Trivy Overview and Getting Started
Related Pages
What is Trivy
Installation
General Usage
Workflow overview

Trivy Overview and Getting Started

Related topics: System Architecture and Core Components, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC, Configuration, Output Formats, Reporting, Pl...

Source: https://github.com/aquasecurity/trivy / Human Manual

System Architecture and Core Components

Related topics: Trivy Overview and Getting Started, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC, Configuration, Output Formats, Reporting, Plugins...

Source: https://github.com/aquasecurity/trivy / Human Manual

Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC

Related topics: Trivy Overview and Getting Started, System Architecture and Core Components, Configuration, Output Formats, Reporting, Plugins, and Operations

Source: https://github.com/aquasecurity/trivy / Human Manual

Configuration, Output Formats, Reporting, Plugins, and Operations

Related topics: Trivy Overview and Getting Started, System Architecture and Core Components, Scanning Capabilities: Vulnerabilities, Misconfigurations, Secrets, Licenses, and IaC

Source: https://github.com/aquasecurity/trivy / Human Manual

Doramagic Pitfall Log

Source-linked risks stay visible on the manual page so the preview does not read like a recommendation.

Source: Doramagic discovery, validation, and Project Pack records

AI Context Pack and portable assets

After deciding to continue, take the project context into your own AI host.

Complete pack plus user-owned assets

These files are planning and verification assets for Claude Code, Codex, Gemini, Cursor, ChatGPT, and other AI hosts.

Download complete pack Read Human Manual

BundleComplete Project Pack AssetAI Context Pack AssetBoundary & Risk Card AssetHuman Manual AssetPitfall Log AssetPrompt Preview AssetQuick Start EvidenceREPO_INSPECTION.json

Preflight checks

Treat this page as a planning asset, not proof that your local environment is ready.

The manual is generated from source-linked project files and Doramagic validation signals.
Community evidence warnings stay visible instead of being converted into marketing claims.
This English page is indexable because the locale quality gate passed and explicit English index approval is enabled.
Use the upstream repository as the final authority for installation commands, license, and version-specific behavior.