Trivy offers comprehensive scanning for files, images, repositories, and infrastructure. It's open-source and integrates with CI/CD for vulnerability detection and security enhancement.
| Product | Mindshare (%) |
|---|---|
| Trivy | 2.9% |
| Wiz | 9.1% |
| Prisma Cloud by Palo Alto Networks | 7.8% |
| Other | 80.2% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Container Security | Jun 30, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 30, 2026 | Download |
| Comparison | Trivy vs Wiz | Jun 30, 2026 | Download |
| Comparison | Trivy vs Prisma Cloud by Palo Alto Networks | Jun 30, 2026 | Download |
| Comparison | Trivy vs SentinelOne Singularity Cloud Security | Jun 30, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| Wiz | 4.4 | 9.1% | 97% | 48 interviewsAdd to research |
| SentinelOne Singularity Cloud Security | 4.4 | 4.5% | 99% | 130 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 3 |
| Midsize Enterprise | 1 |
| Large Enterprise | 8 |
| Company Size | Count |
|---|---|
| Small Business | 249 |
| Midsize Enterprise | 149 |
| Large Enterprise | 601 |
Trivy scans vulnerabilities in code, Docker images, containers, and infrastructure. It integrates seamlessly into DevOps pipelines, ensuring security in dependency management and open source vulnerabilities. This tool, lightweight and open-source, provides user-friendly reports and supports continuous vulnerability database updates, fostering ease of use across operating systems. Users benefit from its scanning capabilities, covering Kubernetes, AWS credentials, and GCP service accounts, effectively identifying vulnerabilities and misconfigurations.
What are Trivy's key features?In industries like technology and finance, Trivy is used extensively to secure applications, perform compliance checks, and offer security metrics visualization. It addresses microservices, container systems, and Kubernetes clusters security requirements, supporting DevOps teams and enhancing codebase analysis precision.
| Author info | Rating | Review Summary |
|---|---|---|
| Senior Security Consultant at Ernst & Young | 5.0 | I primarily use Trivy for container and Kubernetes security, integrating it with Azure DevOps for vulnerability scans. Its feature set is impressive, though it generates false positives and struggles with database updates. Transitioning from Clair and Anchore proved beneficial. |
| Principal DevSecOPs at a computer software company with 10,001+ employees | 4.0 | I primarily use Trivy to scan Docker images and application code for vulnerabilities. Its open-source nature, ease of integration, and vulnerability checks are invaluable. However, it could benefit from dynamic scanning during runtime, a user interface, and better SIEM integration. |
| DevOps Engineer at Interdiciplinary center | 4.0 | I utilize Trivy to scan Docker images for vulnerabilities before production. Its open-source nature and integration capability with GitLab CI make it valuable. However, building a UI is challenging, especially due to its lack of intuitive or pre-packaged solutions. |
| Cloud DevOps Lead at Venturenox | 4.5 | I use Trivy for vulnerability scanning in Docker images as part of our CI/CD pipelines due to its open-source nature, simplicity, and speed. Although effective, it needs enhanced report analysis features and YAML configuration scanning capabilities for better utility. |
| Senior Engineering Manager at Ninjacart | 4.5 | I use Trivy in my DevSecOps process to scan container applications and images in Kubernetes, identifying vulnerabilities and expired libraries. While integrated with Grafana for metrics, I also use ClamAV for malware detection, wishing for a single-tool solution. |
| Software Engineer at a tech vendor with 10,001+ employees | 4.5 | I have used Trivy for three years to scan packages and Docker images for vulnerabilities, integrating it with Jenkins to fail builds with issues. Trivy's ease of use and reliable, up-to-date database set it apart from previous solutions. |
| Software Engineer at a manufacturing company with 10,001+ employees | 4.0 | We use Trivy for security and malware testing in our code bases. Its integration with the CI/CD pipeline is seamless and scalable. However, the report interpretation could be improved. Trivy complements our other static analysis tools like Coverity and Bandit. |
| Project Associate Engineer at a tech vendor with 501-1,000 employees | 4.5 | I use Trivy for scanning Docker images and containers within CI/CD pipelines. Its standout features include repository scanning, automatic solutions for vulnerabilities, and easy Linux integration. The tool could improve its UI and expand its policies and signatures. |
| DevOps Developer at a comms service provider with 11-50 employees | 4.0 | I use Trivy to scan for vulnerabilities in code before deployment, ensuring no issues with dependencies or secrets. Its ability to handle various formats is valuable. However, improved marketing and potential AI integration could enhance its functionality. |
| Framework Engineer at a tech services company with 1,001-5,000 employees | 4.0 | I utilize Trivy in pipelines for vulnerability scanning and find its ability to check AWS credentials and GCP accounts valuable. While setup is quick, improvements are needed in output formats and issue resolution on GitHub. Trivy outperformed Snyk and DockerBank Security. |
I use Trivy mainly for container security, specifically for scanning our images. I have integrated it with our CI/CD pipelines, mainly Azure DevOps, for scanning images for vulnerabilities.
Additionally, I use it for Kubernetes security, scanning namespaces for misconfigurations or security metrics. I also help my cloud team scan Terraform for misconfigurations and compliance checks.
The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma. It also offers repository scanning in the source code domain, allowing pre-push code scans. The misconfiguration detection works well for CloudFormation, Docker files, and Terraform.
Its compliance support, like NIST, ensures that configurations align with standards. Trivy helps me significantly detect misconfigurations missed by the ops engineers or in Terraform by the naked eye. It ensures that my deployments are free of misconfigurations and vulnerabilities.
Trivy generates many false positives, flagging non-existent vulnerabilities. Improvements could include better contextual analysis or granular filtering.
Scanning larger workloads takes longer due to slow database updates during initial scans. Enhancements in RBAC or network policy scanning capabilities would be beneficial.
I have been working with Trivy for almost two years.
Trivy is stable. However, the initial scan takes time to load the database. After that, it works efficiently and straightforwardly.
Trivy's scalability is crucial, allowing efficient scanning of multiple workloads, images, Kubernetes clusters, and CI/CD pipelines. My organization benefits from its ability to scale quickly, especially with our policy of shiplift capability, where every code is scanned often.
Customer support has been great, although time zone differences between their location and India sometimes cause communication delays. Nonetheless, their answers and solutions are on point.
Neutral
Before Trivy, I used Clair and Anchore. I switched to Trivy for its comprehensive compliance, IAC, and code capabilities. For coding analysis, I used SonarQube, and for Terraform, TeraScan before using Trivy.
The setup is straightforward and did not present any issues.
A team of two to three people works on maintaining and updating Trivy.
I cannot speak to financial ROI, but Trivy increased my operational efficiency and precision. I work more effectively on deployments, and the scanning reports allow quick remediation of misconfigurations or vulnerabilities, likely contributing to financial growth.
I performed a POC with Trivy and considered exploring Palo Alto and Prisma Cloud. However, the CWPP capabilities were not on point, so I chose Trivy.
I would advise new users to explore all aspects of Trivy, not just using it for image scanning or clusters. It offers much more, including compliance and IAC scanning. Initially, I was unaware of its full capabilities, but it is more than a scanning tool.
Overall, I would rate Trivy a ten out of ten.
I mainly use Trivy for two primary use cases. One is to scan Docker images for vulnerabilities, and I also use it to find open source vulnerabilities in application code.
Trivy's open source nature and wide functionality are incredibly valuable. It can scan Kubernetes files, detect Dockerfile issues, and even scan Terraform code. The ease of use and ability to integrate into CI/CD pipelines in a straightforward manner make it a beneficial tool.
Additionally, it supports all operating systems and maintains an up-to-date security vulnerability CVE list. Another major advantage is its ability to find secrets and sensitive information in code.
Currently, the container image scanning is static. A dynamic scanning capability during runtime would be a significant advantage.
Additionally, the open-source vulnerability database could be more extensive. Trivy lacks a user interface, report generation, and SIEM integration.
I have been using Trivy for four years now.
I have never faced any performance issues with Trivy.
I have not experienced any scalability issues. Being command-line based, Trivy can run multiple times without difficulty or slowness.
I have never escalated any issues as Trivy is open-source.
Neutral
Before Trivy, I used another open-source tool but found it was not well managed. I evaluated Snyk and Sonatype Nexus container scanner.
The initial setup of Trivy is very straightforward. It takes about five to ten minutes to set up and requires no special steps.
Using Trivy, I've achieved significant cost savings, with the estimated savings being around $40,000 to $50,000.
The cost was a primary consideration for choosing Trivy as it is free of cost and offers all the necessary functionality, reducing the need for paid solutions.
I recommend thoroughly understanding all the features of Trivy and its command-line options. This knowledge will help better integrate it into CI/CD pipelines and decide when to exit scanning if detections occur.
On a scale of one to ten, I would rate Trivy as an eight out of ten.
Although it lacks a user interface and report generation, its robust functionality and cost-effectiveness make it a top choice.
The main use case for Trivy is to scan Docker images or packages for CVEs, specifically for vulnerabilities. I use the tool to ensure that newly built Docker images do not have critical vulnerabilities before they are pushed to production.
Additionally, I have integrated Trivy into the Kubernetes cluster alongside policy reports to display a UI for all CVEs.
I appreciate Trivy for being open-source and not requiring any payment. It has a comprehensive database of vulnerabilities and is regularly updated. I find the tool useful as it can integrate with GitLab CI for efficient scanning of Docker images and provides functionality to scan packages and static code.
Trivy is particularly useful for checking if Docker images have critical vulnerabilities before they reach production.
One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example. It is not intuitive or pre-packaged, making it challenging for users like me who need to develop their own UI.
Additionally, having little experience can hinder the ability to connect it to a user-friendly UI effectively.
I have not experienced any stability issues with Trivy. The operator has been running for a long time in the environment without any problems.
I have found scalability not to be an issue with Trivy as it runs in CI/CD jobs. Once a job finishes, the process terminates, eliminating the need for scaling.
Although I have not had to contact the support team regularly, I did reach out to them on Discord for assistance with installing a UI for the Trivy operator in Kubernetes. They were helpful in guiding me on the tools to use and the correct approach.
Neutral
Trivy itself is completely free, and it even has built-in integration with GitLab. However, the built-in integration in GitLab requires payment.
I rate Trivy an eight out of ten. This rating reflects its open-source nature, comprehensive scanning capabilities, and its regular updates. The only downside is the absence of a native UI, which would enhance user experience.
I use Trivy for vulnerability scanning in Docker images for our microservices applications. I have integrated it into our infrastructure scanning as well. I have also written a blog on it, which is published on my LinkedIn. Furthermore, it is part of our CI/CD pipelines, being used automatically every day.
The first thing I like about Trivy is that it is open-source. It is very convenient and fast, making it easy for developers, even without prior knowledge, to set up within minutes using the documentation. This ease and simplicity are key reasons we use Trivy. We had options like Security Onion and Aqua Tracee but chose Trivy due to its reliability, convenience and community.
In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis. It would be beneficial to have an automated report mechanism for outputs in formats like CSV or JSON. Additionally, especially as the world is moving towards AI, it would be helpful to give recommendations based on scanning reports. It can also give recommendations in enhancing cluster security if somehow AI is induced in it.
I have used Trivy twice in my career: about three years ago and again in the last couple of months.
Trivy is very stable. We have not encountered any issues with running Trivy inside pipelines of our CICD or in our system.
Trivy is quite scalable, supporting our nine to eleven microservices for image scanning quickly in our CI/CD pipelines. The main enhancement needed is a proper report mechanism for better scalability.
I just use the documentation or, if needed, Google it as there is a large community support.
Positive
We explored Security Onion and Aqua Tracee before choosing Trivy. It met our expectations due to its simplicity, speed, stability, and ability to scan vulnerabilities and infrastructures.
The initial setup was seamless due to the clear documentation. One can read it and set it up within a few minutes.
I did everything myself, without needing any help from my team. I am the Cloud and DevOps engineer at my company so it falls under my responsibility to set it up.
Since Trivy is open-source, we do not pay anything for it.
We evaluated Security Onion and Aqua Tracee, however, ultimately chose Trivy for its simplicity and reliability and we already had experience with it.
If you are looking for vulnerability scanning for your Docker images or infrastructure misconfigurations, like Terraform files or Helm charts, Trivy is the solution you should consider.
Overall, I rate Trivy a nine out of ten.
I am implementing Trivy as part of my DevSecOps process in the CSCD pipelines to scan my container applications and container images.
I can see vulnerabilities in the images of any applications deployed in the Kubernetes environment or as container applications.
Prior to deploying to production, I can identify the vulnerabilities and find ways to fix them. I can check for any libraries that are expired, and it also performs dependency checks, allowing me to fix these issues before making my production system vulnerable.
I have integrated this with Grafana as part of my observability stack. I use Grafana as an observability stack and have integrated this report with it. I am able to see those metrics from there.
For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion.
I have been using Trivy for one year.
The solution is stable.
I have multiple pods, and an auto-scaler is enabled.
Internally, we have a cybersecurity specialization team in my office. I don't see much critical difference as they are aware of these things.
Positive
Previously, I used Trivy and OpenVAS.
I didn't encounter any issues since Trivy is open-source and provided all-in-one packages like Helm charts and supported documentation. It was straightforward for me. I spent time understanding the industry and completed my cybersecurity certification from IIM, where I learned about using Trivy and OpenVAS. This experience helped me become familiar with Trivy. I didn't face many challenges since I have a solid understanding of Kubernetes and authorization.
I considered OpenVAS, which is user-friendly for container applications. However, OpenVAS is primarily based on virtual machines, designed mainly for virtual missions and on-premises setups.
I definitely recommend Trivy. Many companies are migrating to container platforms. It integrates well with observability stacks like ELK or Grafana Datadog. I advise using these tools for observability integration. I'd rate the solution nine out of ten.
Positive
We are using Trivy for status analysis tests of our code bases, primarily for security and malware testing.
The most valuable feature of Trivy is its easy integration with the CI/CD pipeline. It allows for seamless scanning of the entire code base in GitHub, making it very scalable based on how it is deployed in conjunction with CI. It has greatly facilitated our security testing and analysis processes.
The reporting could be a little better. When integrating Trivy with CI, the interpretation of the reports could be improved. The only aspect that seems to require more effort is understanding the reporting, which might need some attention.
I have used Trivy for one to two months.
Trivy is stable. With my usage so far, I haven't encountered any major stability issues.
Trivy is very scalable. With its integration into our CI setup, it can scan the whole code base efficiently. However, there might be a learning curve when using it on a standalone basis.
I haven't had the chance to talk to the support team, so I have no direct experience with their customer service. However, the documentation is good, and it helped me navigate through the setup.
Positive
We have different static analysis tools like Coverity or Bandit, however, they are not alternatives to Trivy. We use multiple methods for scanning, and Trivy complements these other tools.
The initial setup was easy, and it took just a couple of days for deployment.
I used a third party for the implementation. Trivy GitHub CI has a third-party GitHub action that I could use directly.
I didn't evaluate other options personally. Different options are used within my company. I don't recall the names.
I would recommend starting to use Trivy and explore the documentation, as it is quite comprehensive. Understanding the project pipeline first is important, as it affects the configuration and integration process. This understanding is crucial for integrating Trivy into your security pipeline.
I'd rate the solution eight out of ten.
Positive
Neutral
I use Trivy in pipelines to scan for vulnerabilities in our code, container systems, and documents. This helps me address any issues I find with the suitable developer who has worked on it.
One of the great features of Trivy is that it helps me scan items such as AWS credentials and GCP service accounts. It's customizable, allowing me to add any rules and format HTML templates as I wish. The setup process of implementing Trivy in my pipelines was straightforward, taking no more than ten minutes.
Trivy can improve by providing an output in PDF format.
Additionally, it takes longer to scan container images built with many layers. The exporting options could be better, including integration with AWS or GCP. Many open issues in GitHub could be addressed to avoid bugs and ensure a stable environment.
I've been working with the Trivy solution for eight to ten months.
Trivy is quite stable compared to other tools.
Trivy is not scalable if I need to scan 50 or 100 resources at once. While scalable for file system scans, it's not suitable for scanning multiple container images at once.
Being open source, I've raised issues on GitHub, and they were taken up quickly. However, it takes some time to implement changes and bring them into the stable version. They usually suggest opting for the enterprise version for personalized issues.
Neutral
I shortlisted Snyk and DockerBank Security, however, Trivy turned out to be better, mainly because it is open source and scans file systems and container systems, including Kubernetes clusters.
The initial setup was very straightforward and easy, taking less than ten minutes.
I would definitely recommend Trivy to others looking for an open-source file system scanner, Kubernetes cluster scanner, or container image vulnerability scanner. However, for someone with the budget, Trivy's scalability may be an issue.
Overall, I rate Trivy eight out of ten.
