Skip to content
All features

Trivy

Comprehensive vulnerability scanner with CVE, license, IaC, and secret detection.

Trivy from Aqua Security is the most widely used open-source container scanner. HarborGuard runs Trivy in CVE + secret + license detection mode against every layer, normalizes its findings into the unified schema, and dedupes them against Grype and OSV-Scanner output. Trivy's database refreshes every 6 hours from the NVD, GitHub Security Advisories, and Aqua's own feeds.

What it scans

  • OS packages (Alpine, Debian, RedHat, Ubuntu, Amazon Linux, SUSE, Photon)
  • Language dependencies (npm, PyPI, Maven, RubyGems, NuGet, Cargo, Go modules, Composer, Hex)
  • Container image misconfigurations
  • Embedded secrets and credentials
  • License compliance violations

When to use it

  • Default for all production scans — broadest CVE coverage.
  • When you need a single tool that covers OS + libs + secrets + license.
  • CI gating: trivy is fast enough for pre-merge container builds.

How HarborGuard runs Trivy

01

Runs inside the harborguard-sensor Docker image, never on the host.

02

Database snapshots cached on the worker machine to avoid NVD rate limits.

03

Findings deduplicated against Grype + OSV before triage.

Output formats

JSON, CycloneDX, SPDX-JSON, SARIF

Upstream

aquasecurity/trivy