# Trivy > Trivy is proudly maintained by [Aqua Security](https://aquasec.com). ## Pages - [Aqua Security is the home of Trivy](commercial-compare.md): Trivy is proudly maintained by [Aqua Security](https://aquasec.com). - [Contact](commercial-contact.md): .md-content .md-content__inner a, h1 { - [Contribute Rego Checks](community-contribute-checks-overview.md): The following guide provides an overview of contributing checks to the default checks in Trivy. - [Add Service Support](community-contribute-checks-service-support.md): A service refers to a service by a cloud provider. This section details how to add a new service to an existing provi... - [Discussions](community-contribute-discussion.md): Thank you for taking interest in contributing to Trivy! - [Issues](community-contribute-issue.md): Thank you for taking interest in contributing to Trivy! - [Pr](community-contribute-pr.md): Thank you for taking interest in contributing to Trivy! - [Add Vulnerability Advisory Source](community-contribute-vulnerability-database-add-vulnerability-source.md): This guide walks through the process of adding a new vulnerability advisory source to Trivy. - [Vulnerability Data Sources](community-contribute-vulnerability-database-overview.md): This section explains how Trivy's vulnerability database works and how to contribute new advisory data sources. - [Backporting Process](community-maintainer-backporting.md): This document outlines the backporting process for Trivy, including when to create patch releases and how to perform ... - [Overview](community-maintainer-help-wanted.md): We use two labels help wanted and [good first - [Pull Request Review Policy](community-maintainer-pr-review.md): This document outlines the review policy for pull requests in the Trivy project. - [Release Flow](community-maintainer-release-flow.md): Trivy adopts [conventional commit messages][conventional-commits], and [Release Please][release-please] automatically... - [Triage](community-maintainer-triage.md): Triage is an important part of maintaining the health of the trivy repo. - [Trivy Project Principles](community-principles.md): This document outlines the guiding principles and governance framework for the Trivy project. - [CI/CD Integrations](ecosystem-cicd.md): [Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD ser... - [IDE and developer tools Integrations](ecosystem-ide.md): [Visual Studio Code](https://code.visualstudio.com/) is an open source versatile code editor and development environm... - [Ecosystem](ecosystem.md): Trivy is integrated into many popular tools and applications, so that you can easily add security to your workflow. - [Production and cloud Integrations](ecosystem-prod.md): [Kubernetes](https://kubernetes.io/) is an open-source system for automating deployment, scaling, and management of c... - [Reporting](ecosystem-reporting.md): DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features. - [Faq](getting-started-faq.md): `tri`is pronounced like **tri**gger,`vy`is pronounced like en**vy**. - [First steps with Trivy](getting-started.md): Trivy is available in most common distribution channels. The complete list of installation options is available in th... - [Installing Trivy](getting-started-installation.md): In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled... - [Signature Verification](getting-started-signature-verification.md): All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign). - [Connectivity and Network considerations](guide-advanced-air-gap.md): Trivy requires internet connectivity in order to function normally. If your organization blocks or restricts network ... - [Embed in Dockerfile](guide-advanced-container-embed-in-dockerfile.md): Scan your image as part of the build process by embedding Trivy in the - [Unpacked Filesystem](guide-advanced-container-unpacked-filesystem.md): Scan an unpacked container image filesystem. - [Modules](guide-advanced-modules.md): !!! warning "EXPERIMENTAL" - [Requirements](guide-advanced-private-registries-acr.md): None, Trivy uses Azure SDK for Go. You don't need to install`az`command. - [Docker Hub](guide-advanced-private-registries-docker-hub.md): See [here](./index.md) for the detail. - [Ecr](guide-advanced-private-registries-ecr.md): Trivy uses AWS SDK. You don't need to install`aws`CLI tool. - [Requirements](guide-advanced-private-registries-gcr.md): None, Trivy uses Google Cloud SDK. You don't need to install`gcloud`command. - [Index](guide-advanced-private-registries.md): Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools. - [if you want to use 80 port, use NonSSL](guide-advanced-private-registries-self.md): BasicAuth server needs`TRIVY_USERNAME`and`TRIVY_PASSWORD`. - [Self-Hosting Trivy's Databases](guide-advanced-self-hosting.md): This document explains how to host Trivy's [external dependencies](./air-gap.md) in your own infrastructure to preven... - [Telemetry Flags](guide-advanced-telemetry-flags.md): --clear-cache - [Usage Telemetry](guide-advanced-telemetry.md): Trivy collects anonymous usage data in order to help us improve the product. This document explains what is collected... - [Built-in Compliance Reports](guide-compliance-compliance.md): !!! warning "EXPERIMENTAL" - [Custom Compliance Spec](guide-compliance-contrib-compliance.md): Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the ... - [Cache](guide-configuration-cache.md): The cache directory includes - [Trivy Databases](guide-configuration-db.md): When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security informati... - [Filtering](guide-configuration-filtering.md): Trivy provides various methods for filtering the results. - [Configuration](guide-configuration.md): Trivy's settings can be configured in any of the following methods, which will apply in the following precedence: - [Others](guide-configuration-others.md): You can enable/disable scanners with the`--scanners`flag. - [Reporting](guide-configuration-reporting.md): Trivy supports the following formats: - [Selecting files for scanning](guide-configuration-skipping.md): When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and lo... - [Ansible](guide-coverage-iac-ansible.md): Trivy analyzes tasks in playbooks and roles for misconfigurations in cloud resources. - [Azure ARM Template](guide-coverage-iac-azure-arm.md): Trivy supports the scanners listed in the table below. - [CloudFormation](guide-coverage-iac-cloudformation.md): Trivy supports the scanners listed in the table below. - [Docker](guide-coverage-iac-docker.md): Trivy supports the scanners listed in the table below. - [Helm](guide-coverage-iac-helm.md): Trivy supports two types of Helm scanning, templates and packaged charts. - [Infrastructure as Code](guide-coverage-iac.md): Trivy scans Infrastructure as Code (IaC) files for - [Kubernetes](guide-coverage-iac-kubernetes.md): Trivy supports the scanners listed in the table below. - [Terraform](guide-coverage-iac-terraform.md): Trivy supports the scanners listed in the table below. - [Scanning Coverage](guide-coverage.md): Trivy can detect security issues in many different platforms, languages and configuration files. - [Kubernetes](guide-coverage-kubernetes.md): When scanning a Kubernetes cluster, Trivy differentiates between the following: - [C/C++](guide-coverage-language-c.md): Trivy supports Conan C/C++ Package Manager ([v1][conanV1] and [v2][conanV2] with limitations). - [Dart](guide-coverage-language-dart.md): Trivy supports [Dart][dart]. - [.NET](guide-coverage-language-dotnet.md): Trivy supports`.NET core`and`NuGet`package managers. - [Elixir](guide-coverage-language-elixir.md): Trivy supports [Hex][hex] repository for [Elixir][elixir]. - [Go](guide-coverage-language-golang.md): Trivy supports two types of Go scanning, Go Modules and binaries built by Go. - [Programming Language](guide-coverage-language.md): Trivy supports programming languages for - [Java](guide-coverage-language-java.md): Trivy supports four types of Java scanning:`JAR/WAR/PAR/EAR`,`pom.xml`,`*gradle.lockfile`and`*.sbt.lock`files. - [Julia](guide-coverage-language-julia.md): Trivy supports [Pkg.jl](https://pkgdocs.julialang.org/v1/), which is the Julia package manager. - [Node.js](guide-coverage-language-nodejs.md): Trivy supports four types of Node.js package managers:`npm`,`Yarn`,`pnpm`and`Bun`[^1]. - [PHP](guide-coverage-language-php.md): Trivy supports [Composer][composer], which is a tool for dependency management in PHP. - [Python](guide-coverage-language-python.md): Trivy supports three types of Python package managers:`pip`,`Pipenv`and`Poetry`. - [Ruby](guide-coverage-language-ruby.md): Trivy supports [Bundler][bundler] and [RubyGems][rubygems]. - [Rust](guide-coverage-language-rust.md): Trivy supports [Cargo](https://doc.rust-lang.org/stable/cargo/), which is the Rust package manager. - [Swift](guide-coverage-language-swift.md): Trivy supports [CocoaPods][cocoapods] and [Swift][swift] package managers. - [AlmaLinux](guide-coverage-os-alma.md): Trivy supports the following scanners for OS packages. - [Alpine Linux](guide-coverage-os-alpine.md): Trivy supports the following scanners for OS packages. - [Amazon Linux](guide-coverage-os-amazon.md): Trivy supports the following scanners for OS packages. - [Azure Linux (CBL-Mariner)](guide-coverage-os-azure.md): *CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.* - [Bottlerocket](guide-coverage-os-bottlerocket.md): Trivy supports the following scanners for OS packages. - [CentOS](guide-coverage-os-centos.md): Trivy supports the following scanners for OS packages. - [Chainguard](guide-coverage-os-chainguard.md): Trivy supports the following scanners for OS packages. - [CoreOS](guide-coverage-os-coreos.md): This page describes the deprecated`CoreOS Container Linux`(EOL) and its successor, [Fedora CoreOS][fedora-coreos]. - [Debian](guide-coverage-os-debian.md): Trivy supports the following scanners for OS packages. - [Echo](guide-coverage-os-echo.md): Trivy supports these scanners for OS packages. - [Google Distroless Images](guide-coverage-os-google-distroless.md): Trivy supports the following scanners for OS packages. - [OS](guide-coverage-os.md): Trivy supports operating systems for - [MinimOS](guide-coverage-os-minimos.md): Trivy supports these scanners for OS packages. - [Oracle Linux](guide-coverage-os-oracle.md): Trivy supports the following scanners for OS packages. - [Photon OS](guide-coverage-os-photon.md): Trivy supports the following scanners for OS packages. - [Red Hat Enterprise Linux](guide-coverage-os-rhel.md): Trivy supports the following scanners for OS packages. - [Rocky Linux](guide-coverage-os-rocky.md): Trivy supports the following scanners for OS packages. - [SUSE](guide-coverage-os-suse.md): Trivy supports the following distributions: - [Ubuntu](guide-coverage-os-ubuntu.md): Trivy supports these scanners for OS packages. - [Wolfi Linux](guide-coverage-os-wolfi.md): Trivy supports these scanners for OS packages. - [Bitnami Images](guide-coverage-others-bitnami.md): !!! warning "EXPERIMENTAL" - [Conda](guide-coverage-others-conda.md): Trivy supports the following scanners for Conda packages. - [Others](guide-coverage-others.md): In this section we have placed images, package managers and files that we can't assign to existing sections. - [Root.io](guide-coverage-others-rootio.md): !!! warning "EXPERIMENTAL" - [RPM Archives](guide-coverage-others-rpm.md): !!! warning "EXPERIMENTAL" - [Seal Security](guide-coverage-others-seal.md): !!! warning "EXPERIMENTAL" - [User Guide](guide.md): Welcome to the Trivy User Guide! - [Developer Guide](guide-plugin-developer-guide.md): This section will guide you through the process of developing Trivy plugins. - [Plugins](guide-plugin.md): Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivy code base. - [User Guide](guide-plugin-user-guide.md): You can find a list of Trivy plugins distributed via trivy-plugin-index [here][trivy-plugin-index]. - [Abbreviation List](guide-references-abbreviations.md): This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in i... - [Trivy](guide-references-configuration-cli-trivy.md): Unified security scanner - [Trivy_Clean](guide-references-configuration-cli-trivy-clean.md): Remove cached files - [Trivy_Config](guide-references-configuration-cli-trivy-config.md): Scan config files for misconfigurations - [Trivy_Convert](guide-references-configuration-cli-trivy-convert.md): Convert Trivy JSON report into a different format - [Trivy_Filesystem](guide-references-configuration-cli-trivy-filesystem.md): Scan local filesystem - [Trivy_Image](guide-references-configuration-cli-trivy-image.md): Scan a container image - [Trivy_Kubernetes](guide-references-configuration-cli-trivy-kubernetes.md): [EXPERIMENTAL] Scan kubernetes cluster - [Trivy_Module](guide-references-configuration-cli-trivy-module.md): Manage modules - [Trivy_Module_Install](guide-references-configuration-cli-trivy-module-install.md): Install a module - [Trivy_Module_Uninstall](guide-references-configuration-cli-trivy-module-uninstall.md): Uninstall a module - [Trivy_Plugin](guide-references-configuration-cli-trivy-plugin.md): Manage plugins - [Trivy_Plugin_Info](guide-references-configuration-cli-trivy-plugin-info.md): Show information about the specified plugin - [Trivy_Plugin_Install](guide-references-configuration-cli-trivy-plugin-install.md): Install a plugin - [Trivy_Plugin_List](guide-references-configuration-cli-trivy-plugin-list.md): List installed plugin - [Trivy_Plugin_Run](guide-references-configuration-cli-trivy-plugin-run.md): Run a plugin on the fly - [Trivy_Plugin_Search](guide-references-configuration-cli-trivy-plugin-search.md): List Trivy plugins available on the plugin index and search among them - [Trivy_Plugin_Uninstall](guide-references-configuration-cli-trivy-plugin-uninstall.md): Uninstall a plugin - [Trivy_Plugin_Update](guide-references-configuration-cli-trivy-plugin-update.md): Update the local copy of the plugin index - [Trivy_Plugin_Upgrade](guide-references-configuration-cli-trivy-plugin-upgrade.md): Upgrade installed plugins to newer versions - [Trivy_Registry](guide-references-configuration-cli-trivy-registry.md): Manage registry authentication - [Trivy_Registry_Login](guide-references-configuration-cli-trivy-registry-login.md): Log in to a registry - [Trivy_Registry_Logout](guide-references-configuration-cli-trivy-registry-logout.md): Log out of a registry - [Trivy_Repository](guide-references-configuration-cli-trivy-repository.md): Scan a repository - [Trivy_Rootfs](guide-references-configuration-cli-trivy-rootfs.md): Scan rootfs - [Trivy_Sbom](guide-references-configuration-cli-trivy-sbom.md): Scan SBOM for vulnerabilities and licenses - [Trivy_Server](guide-references-configuration-cli-trivy-server.md): Server mode - [Trivy_Version](guide-references-configuration-cli-trivy-version.md): Print the version - [Trivy_Vex](guide-references-configuration-cli-trivy-vex.md): [EXPERIMENTAL] VEX utilities - [Trivy_Vex_Repo](guide-references-configuration-cli-trivy-vex-repo.md): Manage VEX repositories - [Trivy_Vex_Repo_Download](guide-references-configuration-cli-trivy-vex-repo-download.md): Download the VEX repositories - [Trivy_Vex_Repo_Init](guide-references-configuration-cli-trivy-vex-repo-init.md): Initialize a configuration file - [Trivy_Vex_Repo_List](guide-references-configuration-cli-trivy-vex-repo-list.md): List VEX repositories - [Trivy_Vm](guide-references-configuration-cli-trivy-vm.md): [EXPERIMENTAL] Scan a virtual machine image - [Config file](guide-references-configuration-config-file.md): Trivy can be customized by tweaking a`trivy.yaml`file. - [Client/Server](guide-references-modes-client-server.md): Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulne... - [Standalone](guide-references-modes-standalone.md): `trivy image`,`trivy filesystem`, and`trivy repo`works as standalone mode. - [Terminology](guide-references-terminology.md): This page explains the terminology system used in Trivy, helping users understand the specific terms and concepts uni... - [Troubleshooting](guide-references-troubleshooting.md): !!! error - [License Scanning](guide-scanner-license.md): Trivy scans any container image for license files and offers an opinionated view on the risk associated with the lice... - [Built-in Checks](guide-scanner-misconfiguration-check-builtin.md): Trivy has an extensive library of misconfiguration checks that is maintained at < - [METADATA](guide-scanner-misconfiguration-config-config.md): This page describes misconfiguration-specific configuration. - [Combined input](guide-scanner-misconfiguration-custom-combine.md): Trivy usually scans each configuration file individually. - [Contribute Checks](guide-scanner-misconfiguration-custom-contribute-checks.md): The contributing section provides detailed information on how to contribute custom checks to the [trivy-checks reposi... - [Custom Data](guide-scanner-misconfiguration-custom-data.md): Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy t... - [Debugging checks](guide-scanner-misconfiguration-custom-debug.md): When working on more complex queries (or when learning Rego), it's useful to see exactly how the policy is applied. - [Custom Checks](guide-scanner-misconfiguration-custom.md): You can write custom checks in [Rego][rego]. - [Input Schema](guide-scanner-misconfiguration-custom-schema.md): Schemas are declarative documents that define the structure, data types and constraints of inputs being scanned. Triv... - [Input Selectors](guide-scanner-misconfiguration-custom-selectors.md): Sometimes you might want to limit a certain policy to only be run on certain resources. This can be - [Testing](guide-scanner-misconfiguration-custom-testing.md): It is highly recommended to write tests for your custom checks. - [Misconfiguration Scanning](guide-scanner-misconfiguration.md): Trivy provides built-in checks to detect configuration issues in popular Infrastructure as Code files, such as: Docke... - [Secret Scanning](guide-scanner-secret.md): Trivy scans any container image, filesystem, and git repository to detect exposed secrets like passwords, API keys, a... - [Vulnerability Scanning](guide-scanner-vulnerability.md): Trivy detects known vulnerabilities in software components that it finds in the scan target. - [Scan SBOM attestation in Rekor](guide-supply-chain-attestation-rekor.md): !!! warning "EXPERIMENTAL" - [SBOM attestation](guide-supply-chain-attestation-sbom.md): [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.... - [Cosign Vulnerability Attestation](guide-supply-chain-attestation-vuln.md): Trivy generates reports in the [Cosign vulnerability scan record format][vuln-attest-spec]. - [SBOM](guide-supply-chain-sbom.md): Trivy can generate the following SBOM formats. - [Local VEX Files](guide-supply-chain-vex-file.md): !!! warning "EXPERIMENTAL" - [Vulnerability Exploitability Exchange (VEX)](guide-supply-chain-vex.md): !!! warning "EXPERIMENTAL" - [Discover VEX Attestation in OCI Registry](guide-supply-chain-vex-oci.md): !!! warning "EXPERIMENTAL" - [VEX Repository](guide-supply-chain-vex-repo.md): !!! warning "EXPERIMENTAL" - [VEX SBOM Reference](guide-supply-chain-vex-sbom-ref.md): !!! warning "EXPERIMENTAL" - [Container Image](guide-target-container-image.md): Trivy supports two targets for container images. - [Filesystem](guide-target-filesystem.md): Scan your local projects for - [Kubernetes](guide-target-kubernetes.md): !!! warning "EXPERIMENTAL" - [Code Repository](guide-target-repository.md): Scan your local or remote code repositories for - [Rootfs](guide-target-rootfs.md): Rootfs scanning is for special use cases such as - [SBOM scanning](guide-target-sbom.md): Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses. - [Virtual Machine Image](guide-target-vm.md): !!! warning "EXPERIMENTAL" - [Docs](index.md): Welcome to the Trivy documentation! - [CKS preparation resources](tutorials-additional-resources-cks.md): The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certifie... - [Community References](tutorials-additional-resources-community.md): Below is a list of additional resources from the community. - [Additional Resources and Tutorials](tutorials-additional-resources-references.md): Below is a list of additional resources from Aqua Security. - [AWS CodePipeline](tutorials-integrations-aws-codepipeline.md): See [this blog post][blog] for an example of using Trivy within AWS CodePipeline. - [AWS Security Hub](tutorials-integrations-aws-security-hub.md): In the following example using the template`asff.tpl`, [ASFF][asff] file can be generated. - [Azure Devops](tutorials-integrations-azure-devops.md): - Here is the [Azure DevOps Pipelines Task for Trivy][action] - [Bitbucket Pipelines](tutorials-integrations-bitbucket.md): See [trivy-pipe][trivy-pipe] for the details. - [CircleCI](tutorials-integrations-circleci.md): $ cat .circleci/config.yml - [GitHub Actions](tutorials-integrations-github-actions.md): - Here is the [Trivy GitHub Action][action] - [GitLab CI](tutorials-integrations-gitlab-ci.md): GitLab 15.0 includes [free](https://gitlab.com/groups/gitlab-org/-/epics/2233) integration with Trivy. - [Integrations](tutorials-integrations.md): Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you... - [Travis CI](tutorials-integrations-travis-ci.md): $ cat .travis.yml - [Kubernetes Scanning Tutorial](tutorials-kubernetes-cluster-scanning.md): To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Do... - [Installing the Trivy-Operator through GitOps](tutorials-kubernetes-gitops.md): This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD. - [Attesting Image Scans With Kyverno](tutorials-kubernetes-kyverno.md): This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmi... - [Custom Checks with Rego](tutorials-misconfiguration-custom-checks.md): Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a... - [Scanning Terraform files with Trivy](tutorials-misconfiguration-terraform.md): This tutorial is focused on ways Trivy can scan Terraform IaC configuration files. - [Tutorials](tutorials-overview.md): In this section you can find step-by-step guides that help you accomplish specific tasks. - [Enable shell completion](tutorials-shell-shell-completion.md): Below is example steps to enable shell completion feature for`trivy`cli: - [Vulnerability Scan Record Attestation](tutorials-signing-vuln-attestation.md): This tutorial details how to