Trivy Reviews

Name: Trivy
Brand: Aqua Security
Rating: 4.3 (8 reviews)

4.3 out of 5

8 reviews
100% willing to recommend

What is Trivy?

Trivy is a versatile tool for scanning container images and identifying vulnerabilities, favored for its integration with CI/CD pipelines and ease of use. It supports scanning both operating system packages and application dependencies.

Get the Container Security Buyer's Guide and find out what your peers are saying about Trivy, Wiz, Microsoft Defender for Cloud and more!

Trivy is the #13 ranked solution in Container Security Solutions. PeerSpot users give Trivy an average rating of 8.6 out of 10. Trivy is most commonly compared to Wiz: Trivy vs Wiz. Trivy is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 16% of all views.

Buyer's Guide

Container Security

March 2025

Get the category report

Helped 842,296 peers since 2012

Featured Trivy reviews

Utsav Sharma

Senior Security Consultant at Ernst & Young

The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma. It also offers repository scanning in the source code domain, allowing pre-push code scans. The misconfiguration detection works well for CloudFormation, Docker files, and Terraform. Its compliance support, like NIST, ensures that configurations align with standards. Trivy helps me significantly detect misconfigurations missed by the ops engineers or in Terraform by the naked eye. It ensures that my deployments are free of misconfigurations and vulnerabilities.

Read full review

Faizan Anwar

Cloud DevOps Lead at Venturenox

In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis. It would be beneficial to have an automated report mechanism for outputs in formats like CSV or JSON. Additionally, especially as the world is moving towards AI, it would be helpful to give recommendations based on scanning reports. It can also give recommendations in enhancing cluster security if somehow AI is induced in it.

Read full review

Jyothikumar C

Senior Engineering Manager at Ninjacart

For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion.

Read full review

Trivy mindshare

As of March 2025, the mindshare of Trivy in the Container Security category stands at 6.8%, up from 0.6% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Container Security

Key learnings from peers

Last updated Feb 9, 2025

Valuable Features

Trivy offers valuable features like seamless CI/CD integration and easy setup. Users appreciate its open-source nature and wide functionality, including scanning Kubernetes files, Docker images, Terraform code, and detecting secrets and vulnerabilities. It supports various operating systems, ensuring updated security vulnerability lists. Its ability to identify misconfigurations and compliance issues while being lightweight and customizable makes it reliable for detecting vulnerabilities quickly and facilitating secure deployments. The tool's convenience and speed are key attractions for users.

"Trivy is particularly useful for checking if Docker images have critical vulnerabilities before they reach production."
"I appreciate Trivy for being open-source and not requiring any payment."
"Overall, I would rate Trivy a ten out of ten."

Room for Improvement

Trivy's reporting and scan durations need enhancement, particularly for CI integration. CSV and PDF report outputs are desired, along with better exporting options and SIEM integration. Users suggest incorporating runtime scanning and expanding the vulnerability database. A unified tool for anomaly and malware detection is requested. False positives are problematic, and the lack of a user interface and automated report features poses challenges. Improving contextual analysis, RBAC, and network policy scanning would also be beneficial.

"One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example."
"Having little experience can hinder the ability to connect it to a user-friendly UI effectively."
"Trivy generates many false positives, flagging non-existent vulnerabilities. Improvements could include better contextual analysis or granular filtering."

Popular Use Cases

Trivy is primarily employed for scanning code bases, Docker images, and containers for vulnerabilities, malware, and security issues. It is integrated into CI/CD pipelines, particularly Azure DevOps, and used in DevSecOps processes. Users focus on detecting open-source vulnerabilities, container misconfigurations, and compliance in Kubernetes and Terraform, ensuring secure deployment. Implemented in multiple IT environments, Trivy enables regular and automated scans, facilitating collaboration with developers to address detected anomalies.

Service and Support

Trivy's customer service is generally appreciated, with some mentioning good documentation and community support. GitHub issues are quickly addressed, though changes may take time. Communication delays exist due to time zones, but responses are effective. Some rely on Trivy's community and documentation without needing direct support, while others found helpful guidance via Discord for installation issues. Many prefer to navigate Trivy independently, given available resources and internal expertise.

Deployment

Trivy's initial setup is consistently described as easy and straightforward, often taking less than ten minutes. Many users appreciated the clear documentation and supportive packages like Helm charts. Familiarity with Kubernetes and cybersecurity knowledge facilitated a seamless experience. Collectively, users installed Trivy in containers for image scanning without encountering significant challenges, underscoring the simplicity and efficiency of the installation process.

Scalability

Trivy demonstrates significant scalability within CI/CD environments, effectively handling multiple microservices and workloads. Users encounter few issues with command-line operations, though some find challenges when scanning a high number of resources simultaneously. Reports suggest the necessity of improved reporting features. Most find it suitable for container images and file systems, especially with auto-scaling. Trivy's integration into existing systems allows efficient utilization without needing to scale the tool itself.

Stability

Users consistently find Trivy stable and reliable, expressing satisfaction with its performance, especially compared to other tools. They mention no significant stability issues during long-term usage, including in CICD pipelines and system environments. While the initial scan may require some time for database loading, it operates efficiently thereafter. Trivy's operator has been maintained without problems, demonstrating robust performance across various settings, further confirming its reliability and dependability in diverse scenarios.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Container Security Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

16%

Financial Services Firm

14%

Manufacturing Company

11%

Government

Comms Service Provider

University

Insurance Company

Retailer

Energy/Utilities Company

Media Company

Healthcare Company

Educational Organization

Legal Firm

Hospitality Company

Consumer Goods Company

Construction Company

Real Estate/Law Firm

Transportation Company

Aerospace/Defense Firm

Non Profit

Outsourcing Company

Performing Arts

Logistics Company

Pharma/Biotech Company

Wholesaler/Distributor

Compare Trivy with alternative products

Learn more about Trivy

Trivy is an efficient tool designed to automate security checks and ensure compliance. Its quick setup, detailed analysis capabilities, and support for multiple programming languages and environments make it a reliable choice for users. Trivy provides comprehensive scanning and integration with CI/CD pipelines, resulting in accurate vulnerability detection and a smoother workflow for developers.

What are the most important features?

Efficient vulnerability detection: Quickly identifies vulnerabilities in container images.
Comprehensive scanning: Supports scanning of both OS packages and application dependencies.
CI/CD pipeline integration: Seamlessly integrates with CI/CD tools for automated security checks.
Broad language support: Handles multiple programming languages and environments.
Ease of use: Simple setup and user-friendly interface.

What benefits or ROI should users look for?

Improved security: Regular and thorough vulnerability scanning enhances security posture.
Compliance maintenance: Helps in maintaining compliance with security policies and regulations.
Cost efficiency: Automation reduces the time and cost associated with manual security checks.
Integration flexibility: Efficiently integrates with existing CI/CD pipelines to streamline workflows.
Detailed reporting: Provides comprehensive reports for better decision-making.

Trivy is widely used in industries with a focus on maintaining high security standards such as finance, healthcare, and technology sectors. Its ability to detect vulnerabilities quickly and integrate with CI/CD pipelines makes it an essential tool for ensuring secure and compliant software development practices in these industries. Continuous improvements in speed, documentation, and integration could further enhance its value.