Trivy (Aqua Security Open Source)
by Aqua Security (Open Source Project)
Trivy is the world's most widely deployed open source container security scanner a free, comprehensive vulnerability and misconfiguration scanner for container images, Kubernetes, IaC files, and git repositories, with 100 million+ Docker Hub pulls making it the most popular container security tool for developers and security engineers who need a powerful free container security solution.
Starting Price
Free forever (open source); Aqua Platform (commercial) from ~$500/node/year at aquasec.com
G2
Gartner
Capterra
Ratings & Reviews
Key Features
- Free Open Source Container Security Scanner
- Container Image Vulnerability Scanning CVEs
- OS & App Libraries
- Kubernetes Security Scanning Cluster Misconfiguration Detection
- Infrastructure as Code (IaC) Scanning Terraform
- CloudFormation
- Helm
- Secret Detection Hardcoded Credentials in Container Images & Code
- SBOM Generation CycloneDX & SPDX Format Output
- License Compliance Scanning Open Source License Audit
- Git Repository Scanning Detect Security Issues in Code
- Container Registry Support Docker Hub
- ECR
- ACR
- GCR
- Harbor
- CI/CD Integration GitHub Actions
- GitLab CI
- Jenkins
- CircleCI
- Offline Mode Air-Gapped Container Scanning
- SARIF Output GitHub Code Scanning Integration
- Trivy Operator Kubernetes-Native Continuous Scanning
- Active Community 19
- 000+ GitHub Stars
Pros & Cons
Pros
- +Best free container security tool completely free
- +no licensing cost
- +no usage limits
- +100M+ Docker Hub pulls + 19
- +000+ GitHub stars = most trusted open source container scanner globally
- +Most comprehensive free scanner: CVEs + misconfigs + secrets + IaC + SBOM + licenses in one tool
- +Air-gapped offline mode unique for classified and restricted environments
- +SARIF output enables direct GitHub Code Scanning integration
- +Trivy Operator enables continuous Kubernetes cluster scanning without manual runs
- +No vendor lock-in Apache 2.0 open source license
- +Community of thousands of contributors ensures continuous updates
Cons
- −CLI-focused no commercial dashboard or management console without Aqua Platform
- −No runtime container threat detection scanning only
- −not runtime protection
- −Requires engineering expertise to integrate into complex CI/CD pipelines
- −Community support only no commercial SLA
- −Less advanced prioritization and risk scoring vs. commercial tools
Best For
Developers, DevOps engineers, and security teams wanting the best free open source container security tool scanning container images, Kubernetes manifests, IaC files, and git repos for CVEs, misconfigurations, secrets, and license issues in CI/CD pipelines without any licensing cost.
Target Audience
Developers, DevOps Engineers, Security Engineers, Open Source Enthusiasts, Organizations of Any Size
Key Integrations
Competitor Tools
Pricing
Model
Free open source (Apache 2.0 license); no licensing cost; infrastructure costs only
Starting At
Free forever (open source); Aqua Platform (commercial) from ~$500/node/year at aquasec.com
Free Trial
Yes free to download at aquasec.com; install in secondsCompany Info
Founded
2019
Headquarters
Open Source Project (Aqua Security Boston, MA / Tel Aviv, Israel)
Employees
Open source community (600+ at Aqua Security)
Company Size
All sizes from individual developers to Fortune 500 enterprises
Funding
Open Source Apache 2.0 license; Aqua Security commercially backed (Series E, ~$265M raised)
Certifications
Awards & Recognition
GitHub Star Award Security Category Top 10 2025 | Docker Hub Most Pulled Security Tool 2025 | CNCF Sandbox Project | SC Awards Best Open Source Security Tool 2025
Data sourced from G2, Gartner & Capterra · Verified by Firmographic