Trivy Reviews

Name: Trivy
Brand: Aqua Security
Rating: 4.3 (10 reviews)

4.3 out of 5

10 reviews
100% willing to recommend

What is Trivy?

Trivy is a versatile tool for scanning container images and identifying vulnerabilities, favored for its integration with CI/CD pipelines and ease of use. It supports scanning both operating system packages and application dependencies.

Get the Container Security Buyer's Guide and find out what your peers are saying about Trivy, Wiz, Microsoft Defender for Cloud and more!

Trivy is the #9 ranked solution in Container Security Solutions. PeerSpot users give Trivy an average rating of 8.6 out of 10. Trivy is most commonly compared to Wiz: Trivy vs Wiz. Trivy is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 15% of all views.

Buyer's Guide

Container Security

April 2025

Get the category report

Helped 849,686 peers since 2012

Featured Trivy reviews

Utsav Sharma

Senior Security Consultant at Ernst & Young

The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma. It also offers repository scanning in the source code domain, allowing pre-push code scans. The misconfiguration detection works well for CloudFormation, Docker files, and Terraform. Its compliance support, like NIST, ensures that configurations align with standards. Trivy helps me significantly detect misconfigurations missed by the ops engineers or in Terraform by the naked eye. It ensures that my deployments are free of misconfigurations and vulnerabilities.

Read full review

Faizan Anwar

Cloud DevOps Lead at Venturenox

In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis. It would be beneficial to have an automated report mechanism for outputs in formats like CSV or JSON. Additionally, especially as the world is moving towards AI, it would be helpful to give recommendations based on scanning reports. It can also give recommendations in enhancing cluster security if somehow AI is induced in it.

Read full review

Jyothikumar C

Senior Engineering Manager at Ninjacart

For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion.

Read full review

Trivy mindshare

As of May 2025, the mindshare of Trivy in the Container Security category stands at 5.7%, up from 1.1% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Container Security

Key learnings from peers

Last updated Apr 29, 2025

Valuable Features

Trivy's integration with CI/CD pipelines is highly valued. Users appreciate its ability to scan AWS credentials, GCP service accounts, Kubernetes files, Docker images, and Terraform code. It's customizable and open-source. Its user-friendly nature, quick setup, and minimal resource requirements make it accessible. Trivy detects vulnerabilities, secrets, and misconfigurations efficiently. It supports various compliance standards and integrates with tools like Grafana and Jenkins, helping maintain secure, misconfiguration-free deployments.

"Trivy's ability to scan files, images, GitHub repositories, Infrastructure as Code like Terraform, and Kubernetes is valuable."
"Trivy is very reliable and always has an up-to-date database to scan images and identify vulnerabilities."
"Trivy is particularly useful for checking if Docker images have critical vulnerabilities before they reach production."

Room for Improvement

Trivy could enhance its reporting capabilities for better integration with CI systems. Users express interest in additional report formats, such as PDF and CSV, as well as improved exporting options. Addressing the lengthy scanning times for container images and expanding dynamic scanning features during runtime is important. Users note the need for better contextual analysis, UI integration, and AI-powered recommendations. Reducing false positives and enhancing malware detection within a single tool are also desired improvements.

"One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example."
"Having little experience can hinder the ability to connect it to a user-friendly UI effectively."
"Trivy generates many false positives, flagging non-existent vulnerabilities. Improvements could include better contextual analysis or granular filtering."

Pricing

Trivy attracts enterprises due to its zero-cost pricing, fitting their primary consideration for budget-friendly options. As an open-source solution, users benefit from comprehensive functionality without incurring costs. While the tool itself remains free, integration with platforms like GitLab may entail fees. Many companies report successful use of Trivy's free version, avoiding setup costs, demonstrating its effectiveness as a no-cost asset in security management.

Popular Use Cases

Organizations utilize Trivy for security, malware testing, and vulnerability scanning, primarily focusing on Docker images, container systems, and open-source code. They incorporate it into CI/CD and DevSecOps pipelines, such as Azure DevOps, to ensure infrastructure integrity, employing it for Kubernetes security and Terraform compliance. Trivy is widely used for detecting CVEs to avoid production deployments with critical vulnerabilities, facilitating communication with developers to rectify issues efficiently.

Service and Support

Trivy customers highlight effective documentation and community support, facilitating navigation and troubleshooting. Issues on GitHub are addressed promptly, though stable implementation might take time. Enterprises benefit from the enterprise version for personalized concerns. Customer support is appreciated for its accuracy, though time zone differences can cause delays. Assistance on platforms like Discord is helpful for guidance. Many rely on internal expertise or community resources, reducing the need for direct support contact.

Deployment

Trivy's initial setup is consistently described as easy and quick, typically taking less than ten minutes. Users found the straightforward process well-supported by documentation, Helm charts, and all-in-one packages. Familiarity with concepts like Kubernetes seemed advantageous, yet even those without such experience managed the setup effortlessly. Installation could be performed with simple commands such as curl or apt-get, and updating the database for scans was part of the process.

Scalability

Trivy is seen as scalable by many, effectively integrating into CI/CD pipelines and handling microservices. Some mention a learning curve and limitations with multiple container images. Its command-line nature supports multiple executions without slowness. Users appreciate its ability to efficiently scan workloads and image clusters. There's mention of the need for enhanced reporting. It accommodates various projects, especially web apps, and benefits organizations implementing frequent code scanning.

Stability

Users find Trivy stable, reporting no major stability issues or performance problems. They highlight its reliable operation, with successful integration in CICD pipelines and other systems. Although the initial scan requires time for database loading, subsequent operations are efficient. Users note the absence of issues such as lagging or crashing, even after long-term use in varied environments. They appreciate its consistent performance and rely on Trivy for their needs without encountering disruptions.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Container Security Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

15%

Financial Services Firm

14%

Manufacturing Company

11%

Government

Comms Service Provider

University

Retailer

Insurance Company

Media Company

Energy/Utilities Company

Healthcare Company

Educational Organization

Legal Firm

Aerospace/Defense Firm

Real Estate/Law Firm

Construction Company

Hospitality Company

Consumer Goods Company

Transportation Company

Non Profit

Performing Arts

Outsourcing Company

Wholesaler/Distributor

Pharma/Biotech Company

Logistics Company

Recreational Facilities/Services Company

Compare Trivy with alternative products

Learn more about Trivy

Trivy is an efficient tool designed to automate security checks and ensure compliance. Its quick setup, detailed analysis capabilities, and support for multiple programming languages and environments make it a reliable choice for users. Trivy provides comprehensive scanning and integration with CI/CD pipelines, resulting in accurate vulnerability detection and a smoother workflow for developers.

What are the most important features?

Efficient vulnerability detection: Quickly identifies vulnerabilities in container images.
Comprehensive scanning: Supports scanning of both OS packages and application dependencies.
CI/CD pipeline integration: Seamlessly integrates with CI/CD tools for automated security checks.
Broad language support: Handles multiple programming languages and environments.
Ease of use: Simple setup and user-friendly interface.

What benefits or ROI should users look for?

Improved security: Regular and thorough vulnerability scanning enhances security posture.
Compliance maintenance: Helps in maintaining compliance with security policies and regulations.
Cost efficiency: Automation reduces the time and cost associated with manual security checks.
Integration flexibility: Efficiently integrates with existing CI/CD pipelines to streamline workflows.
Detailed reporting: Provides comprehensive reports for better decision-making.

Trivy is widely used in industries with a focus on maintaining high security standards such as finance, healthcare, and technology sectors. Its ability to detect vulnerabilities quickly and integrate with CI/CD pipelines makes it an essential tool for ensuring secure and compliant software development practices in these industries. Continuous improvements in speed, documentation, and integration could further enhance its value.