Trivy Reviews

Name: Trivy
Brand: Aqua Security
Rating: 4.3 (12 reviews)

4.3 out of 5

12 reviews
100% willing to recommend

What is Trivy?

Trivy is a versatile tool for scanning container images and identifying vulnerabilities, favored for its integration with CI/CD pipelines and ease of use. It supports scanning both operating system packages and application dependencies.

Get the Container Security Buyer's Guide and find out what your peers are saying about Trivy, Wiz, Microsoft Defender for Cloud and more!

Trivy is the #9 ranked solution in Container Security Solutions. PeerSpot users give Trivy an average rating of 8.6 out of 10. Trivy is most commonly compared to Wiz: Trivy vs Wiz. Trivy is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 15% of all views.

Buyer's Guide

Container Security

May 2025

Get the category report

Helped 851,604 peers since 2012

Featured Trivy reviews

Utsav Sharma

Senior Security Consultant at Ernst & Young

The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma. It also offers repository scanning in the source code domain, allowing pre-push code scans. The misconfiguration detection works well for CloudFormation, Docker files, and Terraform. Its compliance support, like NIST, ensures that configurations align with standards. Trivy helps me significantly detect misconfigurations missed by the ops engineers or in Terraform by the naked eye. It ensures that my deployments are free of misconfigurations and vulnerabilities.

Read full review

Faizan Anwar

Cloud DevOps Lead at Venturenox

In our CI/CD pipelines, Trivy lacks built-in functionality for report analysis. It would be beneficial to have an automated report mechanism for outputs in formats like CSV or JSON. Additionally, especially as the world is moving towards AI, it would be helpful to give recommendations based on scanning reports. It can also give recommendations in enhancing cluster security if somehow AI is induced in it.

Read full review

Jyothikumar C

Senior Engineering Manager at Ninjacart

For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion.

Read full review

Trivy mindshare

As of May 2025, the mindshare of Trivy in the Container Security category stands at 5.7%, up from 1.1% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Container Security

Key learnings from peers

Last updated May 11, 2025

Valuable Features

Trivy excels in integrating with CI/CD pipelines, offering seamless setup and comprehensive scanning of code, images, and repositories. Its open-source nature and customizable options stand out. Users appreciate its capability to detect vulnerabilities, expired libraries, and secrets efficiently across multiple platforms. Trivy's straightforward installation, detailed reports, and wide functionality—covering Kubernetes, Docker, Terraform, and CloudFormation—enhance security analysis and compliance. Its lightweight design and up-to-date vulnerability database ensure effective security management.

"What I find valuable is the ease of setup with Trivy, including pre-defined operators that require minimal configuration."
"Trivy is most valuable for its ability to scan all repository files and dependencies."
"Trivy's ability to scan files, images, GitHub repositories, Infrastructure as Code like Terraform, and Kubernetes is valuable."

Room for Improvement

Trivy lacks robust reporting and a user-friendly interface. Reporting needs PDF and CSV outputs, along with dynamic scanning and improved malware detection capabilities. Container scanning is slow with large workloads, and false positives are frequent. Integration with CI/CD and support for AI-driven insights are needed. Users want better customization, security recommendations, and expanded vulnerability databases. There is a desire for seamless UI integration and awareness about Trivy’s capabilities.

"The main area for improvement is in differentiating between OS and application-based vulnerabilities."
"Trivy is not scalable; however, I have scanned very large projects with it. It is stable but not scalable according to my experience."
"One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example."

Pricing

Enterprise users find Trivy cost-effective due to its free and open-source nature, making it a popular choice without licensing costs. Integration with platforms like GitLab may require payment. Organizations appreciate its cost-saving potential, mentioning customization options for scanning and cluster management. Companies primarily rely on the open-source version, minimizing expenses and meeting essential functionality without additional fees. Pricing and setup specifics may vary and depend on organizational requirements.

Popular Use Cases

Trivy is used for security and malware analysis of code bases, primarily scanning for vulnerabilities in Docker images, container systems, and application code. It integrates into CI/CD pipelines like Azure DevOps, scans Kubernetes namespaces and Terraform for misconfigurations, and identifies secrets in Kubernetes clusters. Trivy assists in DevSecOps processes, ensuring no critical vulnerabilities are present before deployment, with results visualized on platforms like Grafana.

Service and Support

Customers who engage with Trivy's customer service and support often lean on comprehensive documentation and community resources such as GitHub and Discord. Some users prefer internal expertise or web searches for assistance. When contacted, responses are informative despite possible time zone delays. The enterprise version is recommended for personalized support. While direct contact with support isn't frequent, guidance on technical queries is effective, with open-source community forums being a significant resource.

Deployment

Trivy's initial setup is described as straightforward by many. Most found it quick and easy to install, often taking less than ten minutes. Clear documentation and various installation options, such as Helm charts and Docker images, facilitated the process. While Linux users faced few challenges, some Windows setups were more time-consuming. Familiarity with related technologies like Kubernetes further eased the setup experience for users.

Scalability

Trivy demonstrates significant scalability, especially in CI/CD pipelines and Kubernetes environments. Some users note its efficiency in scanning multiple microservices and large amounts of data, while others highlight challenges when scanning numerous resources simultaneously. Many find it excels with command-line usage and requires no scaling of Trivy itself but rather the infrastructure around it. Users appreciate the ability to integrate Trivy in web app projects, though reporting mechanisms could enhance its scalability further.

Stability

Trivy is described as stable, with users highlighting its consistency in performance. They report few to no major stability issues, even within CICD pipelines. Initial database loading may take time, but subsequent operations are smooth. No lagging or crashing has been noted. Users suggest using the second latest version for optimum stability, as it offers consistent performance over the latest version, which may have frequent updates. Trivy receives high ratings for its reliability.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Container Security Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

15%

Financial Services Firm

14%

Manufacturing Company

11%

Government

Comms Service Provider

University

Retailer

Insurance Company

Media Company

Energy/Utilities Company

Healthcare Company

Educational Organization

Aerospace/Defense Firm

Legal Firm

Real Estate/Law Firm

Consumer Goods Company

Hospitality Company

Construction Company

Transportation Company

Performing Arts

Non Profit

Outsourcing Company

Wholesaler/Distributor

Logistics Company

Pharma/Biotech Company

Recreational Facilities/Services Company

Compare Trivy with alternative products

Learn more about Trivy

Trivy is an efficient tool designed to automate security checks and ensure compliance. Its quick setup, detailed analysis capabilities, and support for multiple programming languages and environments make it a reliable choice for users. Trivy provides comprehensive scanning and integration with CI/CD pipelines, resulting in accurate vulnerability detection and a smoother workflow for developers.

What are the most important features?

Efficient vulnerability detection: Quickly identifies vulnerabilities in container images.
Comprehensive scanning: Supports scanning of both OS packages and application dependencies.
CI/CD pipeline integration: Seamlessly integrates with CI/CD tools for automated security checks.
Broad language support: Handles multiple programming languages and environments.
Ease of use: Simple setup and user-friendly interface.

What benefits or ROI should users look for?

Improved security: Regular and thorough vulnerability scanning enhances security posture.
Compliance maintenance: Helps in maintaining compliance with security policies and regulations.
Cost efficiency: Automation reduces the time and cost associated with manual security checks.
Integration flexibility: Efficiently integrates with existing CI/CD pipelines to streamline workflows.
Detailed reporting: Provides comprehensive reports for better decision-making.

Trivy is widely used in industries with a focus on maintaining high security standards such as finance, healthcare, and technology sectors. Its ability to detect vulnerabilities quickly and integrate with CI/CD pipelines makes it an essential tool for ensuring secure and compliant software development practices in these industries. Continuous improvements in speed, documentation, and integration could further enhance its value.