trivy

Trivy container security scanner. Use for container security.

7 stars

byG1Joshi

View on GitHub Installation ↓

Best use case

trivy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Trivy container security scanner. Use for container security.

Teams using trivy should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/trivy/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/trivy/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/trivy/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How trivy Compares

Feature / Agent	trivy	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Trivy container security scanner. Use for container security.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Trivy

Trivy (by Aqua Security) is a comprehensive and versatile security scanner. It is famous for being incredibly fast, easy to install (single binary), and covering a wide range of targets (Containers, Filesystem, Git repos, AWS).

## When to Use

- **Docker Image Scanning**: The gold standard for fast image scanning in CI.
- **Kubernetes Scanning**: Scanning a running cluster for vulnerabilities.
- **SBOM Generation**: Creating a Software Bill of Materials (CycloneDX/SPDX).

## Quick Start

```bash
# Scan a container image
trivy image python:3.4-alpine

# Scan local filesystem (dependencies + secrets + misconfigs)
trivy fs .

# Scan a git repo
trivy repo https://github.com/knqyf263/trivy
```

## Core Concepts

### Scanners

Trivy runs multiple scanners in parallel:

- **Vuln**: CVEs in OS packages (apk, deb, rpm) and language deps (npm, pip, go.mod).
- **Misconfig**: IaC scans (Terraform, CloudFormation, K8s manifests).
- **Secret**: Hardcoded passwords/keys.
- **License**: License compliance.

### Client/Server Mode

Trivy can run standalone (Download DB -> Scan) or in Client/Server mode (Server holds DB, Client connects) for faster CI runs.

## Best Practices (2025)

**Do**:

- **Use `.trivyignore`**: To suppress false positives or accepted risks.
- **Scan Base Images**: Ensure your `FROM` image is clean (e.g., use `alpine` or `distroless`).
- **Generate SBOM**: Run `trivy image --format cyclonedx` to export an SBOM for compliance.

**Don't**:

- **Don't run full scans on every commit**: It might be slow on huge repos. Scan on Push/PR and nightly.
- **Don't ignore Misconfigurations**: Trivy creates alerts for running as root in Docker; fix these.

## Troubleshooting

| Error               | Cause                    | Solution                                                                             |
| :------------------ | :----------------------- | :----------------------------------------------------------------------------------- |
| `DB Download Error` | Rate limiting / Network. | Use `TRIVY_OFFLINE_SCAN=true` if using --skip-db-update inside a restricted network. |
| `API Rate Limit`    | GitHub API limit.        | Set `GITHUB_TOKEN` env var for Trivy to use.                                         |

## References

- [Trivy Documentation](https://aquasecurity.github.io/trivy/)