Trivy Reviews

The main use case for Trivy is to scan Docker images or packages for CVEs, specifically for vulnerabilities. I use the tool to ensure that newly built Docker images do not have critical vulnerabilities before they are pushed to production. 

Additionally, I have integrated Trivy into the Kubernetes cluster alongside policy reports to display a UI for all CVEs.

I appreciate Trivy for being open-source and not requiring any payment. It has a comprehensive database of vulnerabilities and is regularly updated. I find the tool useful as it can integrate with GitLab CI for efficient scanning of Docker images and provides functionality to scan packages and static code. 

Trivy is particularly useful for checking if Docker images have critical vulnerabilities before they reach production.

One drawback I have observed with Trivy is the difficulty in building or integrating a UI, particularly for an operator in the NetSuite example. It is not intuitive or pre-packaged, making it challenging for users like me who need to develop their own UI. 

Additionally, having little experience can hinder the ability to connect it to a user-friendly UI effectively.

I have not experienced any stability issues with Trivy. The operator has been running for a long time in the environment without any problems.

I have found scalability not to be an issue with Trivy as it runs in CI/CD jobs. Once a job finishes, the process terminates, eliminating the need for scaling.

Although I have not had to contact the support team regularly, I did reach out to them on Discord for assistance with installing a UI for the Trivy operator in Kubernetes. They were helpful in guiding me on the tools to use and the correct approach.

Neutral

Trivy itself is completely free, and it even has built-in integration with GitLab. However, the built-in integration in GitLab requires payment.

I rate Trivy an eight out of ten. This rating reflects its open-source nature, comprehensive scanning capabilities, and its regular updates. The only downside is the absence of a native UI, which would enhance user experience.

I am implementing Trivy as part of my DevSecOps process in the CSCD pipelines to scan my container applications and container images.

I can see vulnerabilities in the images of any applications deployed in the Kubernetes environment or as container applications. 

Prior to deploying to production, I can identify the vulnerabilities and find ways to fix them. I can check for any libraries that are expired, and it also performs dependency checks, allowing me to fix these issues before making my production system vulnerable. 

I have integrated this with Grafana as part of my observability stack. I use Grafana as an observability stack and have integrated this report with it. I am able to see those metrics from there.

For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion.

I have been using Trivy for one year.

The solution is stable.

I have multiple pods, and an auto-scaler is enabled.

Internally, we have a cybersecurity specialization team in my office. I don't see much critical difference as they are aware of these things.

Positive

Previously, I used Trivy and OpenVAS.

I didn't encounter any issues since Trivy is open-source and provided all-in-one packages like Helm charts and supported documentation. It was straightforward for me. I spent time understanding the industry and completed my cybersecurity certification from IIM, where I learned about using Trivy and OpenVAS. This experience helped me become familiar with Trivy. I didn't face many challenges since I have a solid understanding of Kubernetes and authorization.

I considered OpenVAS, which is user-friendly for container applications. However, OpenVAS is primarily based on virtual machines, designed mainly for virtual missions and on-premises setups.

I definitely recommend Trivy. Many companies are migrating to container platforms. It integrates well with observability stacks like ELK or Grafana Datadog. I advise using these tools for observability integration. I'd rate the solution nine out of ten.

We are using Trivy for status analysis tests of our code bases, primarily for security and malware testing.

The most valuable feature of Trivy is its easy integration with the CI/CD pipeline. It allows for seamless scanning of the entire code base in GitHub, making it very scalable based on how it is deployed in conjunction with CI. It has greatly facilitated our security testing and analysis processes.

The reporting could be a little better. When integrating Trivy with CI, the interpretation of the reports could be improved. The only aspect that seems to require more effort is understanding the reporting, which might need some attention.

I have used Trivy for one to two months.

Trivy is stable. With my usage so far, I haven't encountered any major stability issues.

Trivy is very scalable. With its integration into our CI setup, it can scan the whole code base efficiently. However, there might be a learning curve when using it on a standalone basis.

I haven't had the chance to talk to the support team, so I have no direct experience with their customer service. However, the documentation is good, and it helped me navigate through the setup.

Positive

We have different static analysis tools like Coverity or Bandit, however, they are not alternatives to Trivy. We use multiple methods for scanning, and Trivy complements these other tools.

The initial setup was easy, and it took just a couple of days for deployment.

I used a third party for the implementation. Trivy GitHub CI has a third-party GitHub action that I could use directly.

I didn't evaluate other options personally. Different options are used within my company. I don't recall the names.

I would recommend starting to use Trivy and explore the documentation, as it is quite comprehensive. Understanding the project pipeline first is important, as it affects the configuration and integration process. This understanding is crucial for integrating Trivy into your security pipeline.

I'd rate the solution eight out of ten.

I use Trivy in pipelines to scan for vulnerabilities in our code, container systems, and documents. This helps me address any issues I find with the suitable developer who has worked on it.

One of the great features of Trivy is that it helps me scan items such as AWS credentials and GCP service accounts. It's customizable, allowing me to add any rules and format HTML templates as I wish. The setup process of implementing Trivy in my pipelines was straightforward, taking no more than ten minutes.

Trivy can improve by providing an output in PDF format. 

Additionally, it takes longer to scan container images built with many layers. The exporting options could be better, including integration with AWS or GCP. Many open issues in GitHub could be addressed to avoid bugs and ensure a stable environment.

I've been working with the Trivy solution for eight to ten months.

Trivy is quite stable compared to other tools.

Trivy is not scalable if I need to scan 50 or 100 resources at once. While scalable for file system scans, it's not suitable for scanning multiple container images at once.

Being open source, I've raised issues on GitHub, and they were taken up quickly. However, it takes some time to implement changes and bring them into the stable version. They usually suggest opting for the enterprise version for personalized issues.

Neutral

I shortlisted Snyk and DockerBank Security, however, Trivy turned out to be better, mainly because it is open source and scans file systems and container systems, including Kubernetes clusters.

The initial setup was very straightforward and easy, taking less than ten minutes.

I handled it myself using the Azure pipeline and CLI.

I shortlisted Snyk and DockerBank Security.

I would definitely recommend Trivy to others looking for an open-source file system scanner, Kubernetes cluster scanner, or container image vulnerability scanner. However, for someone with the budget, Trivy's scalability may be an issue. 

Overall, I rate Trivy eight out of ten.