Trivy — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Aqua's all-in-one scanner — container images, Kubernetes clusters, IaC misconfigs, secrets, and SBOM generation.

Use case: Container SecurityDifficulty: BeginnerHomepage: https://github.com/aquasecurity/trivy

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install trivy

macOS (brew)

brew install trivy

Docker

docker run aquasec/trivy image alpine:latest

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Scan container image (CVEs)

trivy image alpine:latest

Scan filesystem

trivy fs ./project

Scan IaC files (Terraform / K8s manifests)

trivy config ./terraform/

Scan running Kubernetes cluster

trivy k8s --report summary cluster

Generate SBOM

trivy image --format cyclonedx -o sbom.json myapp:latest

Scan repo for secrets + CVEs

trivy fs --scanners vuln,secret,config .

Severity filter for CI

trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:latest

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • --cache-dir /tmp/trivy-cache — first scan downloads ~500MB DB. Cache it across CI runs.
  • --skip-db-update in CI for predictable speed (run a periodic separate job to update).
  • --vex integrates Vulnerability Exchange data — filter false-positives by upstream.
  • For multi-arch images: scan all platforms with --platform linux/amd64,linux/arm64.
  • --scanners vuln,secret,license select specific scanners — much faster than default which runs everything.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Default vuln database is updated 6 hours behind. For zero-day scenarios, force --reset + manual update.
  • False positives common on Alpine packages because of musl-vs-glibc CVE conflation.
  • Severity ratings are CVSS-based, not contextual — a CRITICAL CVE in a non-network-exposed library is still flagged the same.
  • trivy k8s requires kubeconfig with broad read perms — minimum cluster-wide read.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Grype (Anchore) — CLI-only, faster on simple cases.
  • Snyk — commercial, deeper context.
  • Clair — older, registry-integrated.

India context and engagement notes

Trivy is the right CI default for container scanning in 2026. Add to GitHub Actions / GitLab CI as a hard gate on CRITICAL/HIGH. For DPDP compliance, generate SBOMs for all customer-data-handling containers — auditors increasingly ask for these.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants