Trivy Reviews

I use Trivy to scan code for vulnerabilities before deployment. Our projects, which are developed by different developers, involve various dependencies and third-party code. Before deployment, I scan the code to ensure there are no issues with the dependencies, files, or secrets.

Trivy's ability to scan files, images, GitHub repositories, Infrastructure as Code like Terraform, and Kubernetes is valuable. It allows output in various formats, enabling me to monitor and understand the code's state without reviewing it line by line. It identifies critical and minor issues effectively.

Trivy's marketing and awareness need improvement. Not everyone knows about it, which isn't ideal given its capabilities. There's potential to integrate AI and machine learning for enhanced functionality.

I have used Trivy for around three years.

Trivy is generally stable, especially when I use the second latest version. The latest version may have frequent changes, but the second latest version provides stability.

Trivy scales well in scanning large amounts of data and images. In my microservices project running on Kubernetes, it regularly scans nearly one hundred images and more than one hundred thousand files daily.

I primarily rely on documentation and the Trivy output for any issues. I haven't used online technical support.

Neutral

In our CI/CD pipeline, we have used SonarQube for code scanning. Initially, we manually reviewed code to prevent vulnerabilities, like during the Log4j issue, where developers were instructed to avoid using vulnerable dependencies.

Trivy's setup is straightforward. It's easily installed on different systems like Linux with APT, Docker images, or using Helm charts in Kubernetes.

I use the open source version of Trivy, so there are no costs associated.

I recommend Trivy to others due to its powerful and useful features. However, I suggest increasing its marketing to raise awareness. I rate Trivy an eight out of ten.

I use Trivy in pipelines to scan for vulnerabilities in our code, container systems, and documents. This helps me address any issues I find with the suitable developer who has worked on it.

One of the great features of Trivy is that it helps me scan items such as AWS credentials and GCP service accounts. It's customizable, allowing me to add any rules and format HTML templates as I wish. The setup process of implementing Trivy in my pipelines was straightforward, taking no more than ten minutes.

Trivy can improve by providing an output in PDF format. 

Additionally, it takes longer to scan container images built with many layers. The exporting options could be better, including integration with AWS or GCP. Many open issues in GitHub could be addressed to avoid bugs and ensure a stable environment.

I've been working with the Trivy solution for eight to ten months.

Trivy is quite stable compared to other tools.

Trivy is not scalable if I need to scan 50 or 100 resources at once. While scalable for file system scans, it's not suitable for scanning multiple container images at once.

Being open source, I've raised issues on GitHub, and they were taken up quickly. However, it takes some time to implement changes and bring them into the stable version. They usually suggest opting for the enterprise version for personalized issues.

Neutral

I shortlisted Snyk and DockerBank Security, however, Trivy turned out to be better, mainly because it is open source and scans file systems and container systems, including Kubernetes clusters.

The initial setup was very straightforward and easy, taking less than ten minutes.

I handled it myself using the Azure pipeline and CLI.

I shortlisted Snyk and DockerBank Security.

I would definitely recommend Trivy to others looking for an open-source file system scanner, Kubernetes cluster scanner, or container image vulnerability scanner. However, for someone with the budget, Trivy's scalability may be an issue. 

Overall, I rate Trivy eight out of ten.

Public Cloud

Microsoft Azure

We are using Trivy for vulnerability scans and identifying open secrets, if there are any, in our Kubernetes clusters. We are visualizing the results on Grafana dashboards, which helps restrict the exposure of secrets and makes our system more precise with image scanners.

What I find valuable is the ease of setup with Trivy, including pre-defined operators that require minimal configuration. The reports generated are easy to read, even for non-technical individuals. Good documentation for installation and troubleshooting is provided. Additionally, it differentiates vulnerabilities based on severity, which aids in addressing vulnerabilities in the correct order.

The main area for improvement is in differentiating between OS and application-based vulnerabilities. Additionally, the customization of reports is limited; we can only add a few parameters. Custom application details in reports would make it easier to identify the use case of each pod.

I have been using Trivy for around six to seven months.

We faced challenges with setting up Trivy on Windows, but the process on Linux was smooth. The complexity is attributed to Windows setups rather than Trivy itself. For implementation, we downloaded the repository, ran a few commands, and used Helm charts to deploy Trivy operators on Kubernetes.

There are no performance or stability issues with Trivy.

Trivy is quite easy to scale, especially on Kubernetes. We have replicated it across multiple clusters, and it scales easily both vertically and horizontally, depending on CPU usage and the number of pods.

We haven't tried reaching out to Trivy's technical support, and I'm unsure if they provide any.

Neutral

Before Trivy, we did not have any solution in place for scanning.

The initial setup was straightforward for Linux but not for Windows. We followed the documentation provided, ran the necessary commands, and used Helm charts for Kubernetes. It took more than one day for the Kubernetes setup and around five to six hours for the local setup.

We implemented Trivy following the documentation available. The setup for both Trivy itself and the Trivy operator required downloading the repositories and configuring them using Helm charts on Kubernetes.

Trivy is open source, making it cost-effective. There are customization options available at the cluster level, allowing us to modify schedules, scaling, and which pods or images to scan.

We did not evaluate any other solutions. Trivy was the first option that came up during our search.

One piece of advice is to start with the image-based version locally to understand how Trivy works before setting it up on Kubernetes. This local setup will enhance understanding, which helps when customizing the Kubernetes setup. Overall, I rate Trivy as an eight out of ten as a solution.

I use Trivy for CICD and container scanning.

Trivy is easy to integrate with CI/CD and can be installed on desktops to scan images. It helps with all configurations, including scanning of images and file systems, and even detecting secrets, not just vulnerabilities. It is very lightweight, requiring minimal effort to get it working. Trivy catches most vulnerabilities quickly because it does not take time to scan anything.

The only problem is that Trivy does not support reporting features such as generating reports in CSV, which is useful for auditing and reporting. 

Additionally, Trivy should work as a Software Composition Analysis tool. If Trivy could do this, it would be great.

I have been working with Trivy for more than four years.

I find Trivy to be stable.

I do not have to scale Trivy itself. I have to scale the part or the tool that is scanning the images. Each instance is a complete system that can scan as many images as are passed through that scanning stage.

We are using the open source community, so we do not need customer service support. If anything happens, we go on GitHub to find a solution.

Positive

We have been using Trivy from the beginning. We also have another scanner, New Vector, but our primary scanner is Trivy.

The initial setup is straightforward, not just for me, but also for other developers who find it easy to set up and run. We installed Trivy in the container and used it for scanning other images. The setup process is quick and takes approximately five minutes.

We tried QEscape and some other new solutions, however, we settled with Trivy. I am not sure about money savings. I have not explored any other commercial software.

Trivy is a Swiss knife. I recommend it because it is easy to integrate and provides quick results.

On a scale of one to ten, I rate it nine out of ten for vulnerability scanning.

On-premises