Skip to content
All features

Trivy

Comprehensive vulnerability scanner with CVE, license, IaC, and secret detection.

Trivy is the most widely used open-source container scanner. HarborGuard runs Trivy in CVE + secret + license detection mode against every layer, normalizes its findings into the unified schema, and dedupes them against Grype and OSV-Scanner output. Trivy's database refreshes continuously from the NVD, GitHub Security Advisories, and its upstream feeds.

What it scans

  • OS packages (Alpine, Debian, RedHat, Ubuntu, Amazon Linux, SUSE, Photon)
  • Language dependencies (npm, PyPI, Maven, RubyGems, NuGet, Cargo, Go modules, Composer, Hex)
  • Container image misconfigurations
  • Embedded secrets and credentials
  • License compliance violations

When to use it

  • Default for all production scans — broadest CVE coverage.
  • When you need a single tool that covers OS + libs + secrets + license.
  • CI gating: trivy is fast enough for pre-merge container builds.

How HarborGuard runs Trivy

01

Runs inside an isolated scan sensor container, never on the host.

02

Database snapshots cached on the worker machine to avoid NVD rate limits.

03

Findings deduplicated against Grype + OSV before triage.

Output formats

JSON, CycloneDX, SPDX-JSON, SARIF

Upstream

aquasecurity/trivy