Aqua's all-in-one scanner — container images, Kubernetes clusters, IaC misconfigs, secrets, and SBOM generation.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install trivy
macOS (brew)
brew install trivy
Docker
docker run aquasec/trivy image alpine:latest
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Scan container image (CVEs)
trivy image alpine:latest
Scan filesystem
trivy fs ./project
Scan IaC files (Terraform / K8s manifests)
trivy config ./terraform/
Scan running Kubernetes cluster
trivy k8s --report summary cluster
Generate SBOM
trivy image --format cyclonedx -o sbom.json myapp:latest
Scan repo for secrets + CVEs
trivy fs --scanners vuln,secret,config .
Severity filter for CI
trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:latest
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
--cache-dir /tmp/trivy-cache— first scan downloads ~500MB DB. Cache it across CI runs.--skip-db-updatein CI for predictable speed (run a periodic separate job to update).--vexintegrates Vulnerability Exchange data — filter false-positives by upstream.- For multi-arch images: scan all platforms with
--platform linux/amd64,linux/arm64. --scanners vuln,secret,licenseselect specific scanners — much faster than default which runs everything.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default vuln database is updated 6 hours behind. For zero-day scenarios, force
--reset+ manual update. - False positives common on Alpine packages because of musl-vs-glibc CVE conflation.
- Severity ratings are CVSS-based, not contextual — a CRITICAL CVE in a non-network-exposed library is still flagged the same.
trivy k8srequires kubeconfig with broad read perms — minimum cluster-wide read.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Grype (Anchore) — CLI-only, faster on simple cases.
- Snyk — commercial, deeper context.
- Clair — older, registry-integrated.
India context and engagement notes
Trivy is the right CI default for container scanning in 2026. Add to GitHub Actions / GitLab CI as a hard gate on CRITICAL/HIGH. For DPDP compliance, generate SBOMs for all customer-data-handling containers — auditors increasingly ask for these.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.