Trivy Reviews

We are using Trivy for vulnerability scans and identifying open secrets, if there are any, in our Kubernetes clusters. We are visualizing the results on Grafana dashboards, which helps restrict the exposure of secrets and makes our system more precise with image scanners.

What I find valuable is the ease of setup with Trivy, including pre-defined operators that require minimal configuration. The reports generated are easy to read, even for non-technical individuals. Good documentation for installation and troubleshooting is provided. Additionally, it differentiates vulnerabilities based on severity, which aids in addressing vulnerabilities in the correct order.

The main area for improvement is in differentiating between OS and application-based vulnerabilities. Additionally, the customization of reports is limited; we can only add a few parameters. Custom application details in reports would make it easier to identify the use case of each pod.

I have been using Trivy for around six to seven months.

We faced challenges with setting up Trivy on Windows, but the process on Linux was smooth. The complexity is attributed to Windows setups rather than Trivy itself. For implementation, we downloaded the repository, ran a few commands, and used Helm charts to deploy Trivy operators on Kubernetes.

There are no performance or stability issues with Trivy.

Trivy is quite easy to scale, especially on Kubernetes. We have replicated it across multiple clusters, and it scales easily both vertically and horizontally, depending on CPU usage and the number of pods.

We haven't tried reaching out to Trivy's technical support, and I'm unsure if they provide any.

Neutral

Before Trivy, we did not have any solution in place for scanning.

The initial setup was straightforward for Linux but not for Windows. We followed the documentation provided, ran the necessary commands, and used Helm charts for Kubernetes. It took more than one day for the Kubernetes setup and around five to six hours for the local setup.

We implemented Trivy following the documentation available. The setup for both Trivy itself and the Trivy operator required downloading the repositories and configuring them using Helm charts on Kubernetes.

Trivy is open source, making it cost-effective. There are customization options available at the cluster level, allowing us to modify schedules, scaling, and which pods or images to scan.

We did not evaluate any other solutions. Trivy was the first option that came up during our search.

One piece of advice is to start with the image-based version locally to understand how Trivy works before setting it up on Kubernetes. This local setup will enhance understanding, which helps when customizing the Kubernetes setup. Overall, I rate Trivy as an eight out of ten as a solution.

I mainly use Trivy for two primary use cases. One is to scan Docker images for vulnerabilities, and I also use it to find open source vulnerabilities in application code.

Trivy's open source nature and wide functionality are incredibly valuable. It can scan Kubernetes files, detect Dockerfile issues, and even scan Terraform code. The ease of use and ability to integrate into CI/CD pipelines in a straightforward manner make it a beneficial tool. 

Additionally, it supports all operating systems and maintains an up-to-date security vulnerability CVE list. Another major advantage is its ability to find secrets and sensitive information in code.

Currently, the container image scanning is static. A dynamic scanning capability during runtime would be a significant advantage. 

Additionally, the open-source vulnerability database could be more extensive. Trivy lacks a user interface, report generation, and SIEM integration.

I have been using Trivy for four years now.

I have never faced any performance issues with Trivy.

I have not experienced any scalability issues. Being command-line based, Trivy can run multiple times without difficulty or slowness.

I have never escalated any issues as Trivy is open-source.

Neutral

Before Trivy, I used another open-source tool but found it was not well managed. I evaluated Snyk and Sonatype Nexus container scanner.

The initial setup of Trivy is very straightforward. It takes about five to ten minutes to set up and requires no special steps.

Using Trivy, I've achieved significant cost savings, with the estimated savings being around $40,000 to $50,000.

The cost was a primary consideration for choosing Trivy as it is free of cost and offers all the necessary functionality, reducing the need for paid solutions.

I evaluated solutions like Snyk and Sonatype Nexus container scanner before deciding on Trivy.

I recommend thoroughly understanding all the features of Trivy and its command-line options. This knowledge will help better integrate it into CI/CD pipelines and decide when to exit scanning if detections occur. 

On a scale of one to ten, I would rate Trivy as an eight out of ten. 

Although it lacks a user interface and report generation, its robust functionality and cost-effectiveness make it a top choice.

I use Trivy for CICD and container scanning.

Trivy is easy to integrate with CI/CD and can be installed on desktops to scan images. It helps with all configurations, including scanning of images and file systems, and even detecting secrets, not just vulnerabilities. It is very lightweight, requiring minimal effort to get it working. Trivy catches most vulnerabilities quickly because it does not take time to scan anything.

The only problem is that Trivy does not support reporting features such as generating reports in CSV, which is useful for auditing and reporting. 

Additionally, Trivy should work as a Software Composition Analysis tool. If Trivy could do this, it would be great.

I have been working with Trivy for more than four years.

I find Trivy to be stable.

I do not have to scale Trivy itself. I have to scale the part or the tool that is scanning the images. Each instance is a complete system that can scan as many images as are passed through that scanning stage.

We are using the open source community, so we do not need customer service support. If anything happens, we go on GitHub to find a solution.

Positive

We have been using Trivy from the beginning. We also have another scanner, New Vector, but our primary scanner is Trivy.

The initial setup is straightforward, not just for me, but also for other developers who find it easy to set up and run. We installed Trivy in the container and used it for scanning other images. The setup process is quick and takes approximately five minutes.

We tried QEscape and some other new solutions, however, we settled with Trivy. I am not sure about money savings. I have not explored any other commercial software.

Trivy is a Swiss knife. I recommend it because it is easy to integrate and provides quick results.

On a scale of one to ten, I rate it nine out of ten for vulnerability scanning.

On-premises

We are using Trivy for status analysis tests of our code bases, primarily for security and malware testing.

The most valuable feature of Trivy is its easy integration with the CI/CD pipeline. It allows for seamless scanning of the entire code base in GitHub, making it very scalable based on how it is deployed in conjunction with CI. It has greatly facilitated our security testing and analysis processes.

The reporting could be a little better. When integrating Trivy with CI, the interpretation of the reports could be improved. The only aspect that seems to require more effort is understanding the reporting, which might need some attention.

I have used Trivy for one to two months.

Trivy is stable. With my usage so far, I haven't encountered any major stability issues.

Trivy is very scalable. With its integration into our CI setup, it can scan the whole code base efficiently. However, there might be a learning curve when using it on a standalone basis.

I haven't had the chance to talk to the support team, so I have no direct experience with their customer service. However, the documentation is good, and it helped me navigate through the setup.

Positive

We have different static analysis tools like Coverity or Bandit, however, they are not alternatives to Trivy. We use multiple methods for scanning, and Trivy complements these other tools.

The initial setup was easy, and it took just a couple of days for deployment.

I used a third party for the implementation. Trivy GitHub CI has a third-party GitHub action that I could use directly.

I didn't evaluate other options personally. Different options are used within my company. I don't recall the names.

I would recommend starting to use Trivy and explore the documentation, as it is quite comprehensive. Understanding the project pipeline first is important, as it affects the configuration and integration process. This understanding is crucial for integrating Trivy into your security pipeline.

I'd rate the solution eight out of ten.

Private Cloud

Other