Trivy

Vulnerability, misconfiguration, and secrets scanner

34.4k ★+147/wkgrowthGoApache License 2.0 →new this week

View on GitHub →Compare in Security →Homepage →

Replaces:Snyk

See how it compares →

The Lens

Trivy scans everything in your stack for vulnerabilities: container images, filesystems, Git repos, Kubernetes configs, cloud infrastructure. Container images, filesystems, Git repos, Kubernetes clusters, AWS accounts, Terraform configs. One tool, one command, comprehensive results.

It's a security X-ray machine. Point it at anything in your stack and it tells you what's vulnerable, misconfigured, or leaking secrets. It checks against multiple vulnerability databases and updates them automatically.

Apache 2.0, backed by Aqua Security. The most popular open source security scanner in the container ecosystem.

The catch: Trivy finds problems; it doesn't fix them. You'll get a list of CVEs and misconfigurations, and then it's on you to remediate. At scale, the volume of findings can be overwhelming without a management layer on top. Aqua's commercial platform provides that management layer, which is exactly the upsell.

Free vs Self-Hosted vs Paid

free self hosted paid cloud

**Free (Apache 2.0):** The full Trivy CLI and all scanning capabilities. Container scanning, SBOM generation, Kubernetes scanning, IaC scanning, secret detection. No feature gates, no scan limits.

**Paid (Aqua Platform):** Aqua Security's commercial platform uses Trivy as its scanning engine and adds: centralized dashboard, policy management, runtime protection, compliance reporting, and team collaboration. Enterprise pricing; contact Aqua for quotes.

The free tool does the scanning. The paid platform manages the results across teams and environments. For a solo developer or small team, Trivy CLI is all you need. When you have 50+ services and need compliance reporting, that's when Aqua's platform earns its price.

Free scanner covers everything. Pay Aqua when you need centralized management across large environments.

Self-hosting ops:trivial