Trivy

aid: trivy
name: Trivy
description: >-
  Trivy is a comprehensive and versatile open-source security scanner from Aqua Security
  that finds vulnerabilities, misconfigurations, secrets, and SBOM in containers,
  Kubernetes, code repositories, clouds, and more. Trivy runs as a CLI tool, in client/server
  mode with an HTTP API, and as a Kubernetes Operator (trivy-operator) that continuously
  scans clusters and generates security reports as native Kubernetes Custom Resources.
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
  - Containers
  - Kubernetes
  - SBOM
  - Security
  - Vulnerability Scanning
  - Open Source
  - DevSecOps
  - Cloud Security
url: >-
  https://raw.githubusercontent.com/api-evangelist/trivy/refs/heads/main/apis.yml
created: '2026-03-26'
modified: '2026-05-03'
specificationVersion: '0.19'
apis:
  - aid: trivy:trivy-server
    name: Trivy Server API
    description: >-
      Trivy can run in client/server mode where the server maintains vulnerability
      databases and clients submit scan requests. The server exposes HTTP endpoints
      including /healthz for liveness checks and /version for server version information.
      Authentication is via token-based header (Trivy-Token).
    humanURL: https://trivy.dev/latest/docs/references/modes/client-server/
    baseURL: http://localhost:4954
    tags:
      - Security
      - Vulnerability Scanning
      - Server Mode
      - HTTP API
    properties:
      - type: Documentation
        url: https://trivy.dev/latest/docs/references/modes/client-server/
      - type: GitHub Repository
        url: https://github.com/aquasecurity/trivy
      - type: OpenAPI
        url: openapi/trivy-server-openapi.yml

  - aid: trivy:trivy-operator
    name: Trivy Operator
    description: >-
      The Trivy Operator is a Kubernetes-native security toolkit that automatically
      scans clusters and generates security reports as Kubernetes Custom Resources.
      It defines 12 CRDs covering vulnerability reports, config audit reports, exposed
      secret reports, SBOM reports, RBAC assessment reports, infrastructure assessment
      reports, and compliance reports.
    humanURL: https://github.com/aquasecurity/trivy-operator
    baseURL: https://kubernetes.default.svc
    tags:
      - Kubernetes
      - Security
      - CRD
      - Operator
      - Vulnerability Scanning
    properties:
      - type: Documentation
        url: https://aquasecurity.github.io/trivy-operator/
      - type: GitHub Repository
        url: https://github.com/aquasecurity/trivy-operator
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_vulnerabilityreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_configauditreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_exposedsecretreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_sbomreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clustercompliancereports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clusterconfigauditreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clusterinfraassessmentreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clusterrbacassessmentreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clustersbomreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_clustervulnerabilityreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_infraassessmentreports.yaml
      - type: KubernetesCRD
        url: crd/aquasecurity.github.io_rbacassessmentreports.yaml

  - aid: trivy:trivy-cli
    name: Trivy CLI
    description: >-
      The primary interface for Trivy is its command-line tool, which scans container
      images, filesystems, Git repositories, Kubernetes clusters, virtual machine images,
      and SBOMs. Supports multiple output formats including JSON, SARIF, CycloneDX,
      SPDX, and table output for CI/CD integration.
    humanURL: https://trivy.dev/latest/docs/
    baseURL: https://trivy.dev
    tags:
      - CLI
      - Security
      - DevSecOps
      - Containers
      - Kubernetes
    properties:
      - type: Documentation
        url: https://trivy.dev/latest/docs/
      - type: Getting Started
        url: https://trivy.dev/latest/getting-started/installation/
      - type: GitHub Repository
        url: https://github.com/aquasecurity/trivy

common:
  - type: Website
    url: https://trivy.dev/
  - type: Documentation
    url: https://aquasecurity.github.io/trivy/
  - type: Getting Started
    url: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
  - type: GitHub Organization
    url: https://github.com/aquasecurity
  - type: GitHub Repository
    url: https://github.com/aquasecurity/trivy
  - type: Trivy Operator
    url: https://github.com/aquasecurity/trivy-operator
  - type: GitHub Action
    url: https://github.com/aquasecurity/trivy-action
  - type: VS Code Extension
    url: https://github.com/aquasecurity/trivy-vscode-extension
  - type: Helm Chart
    url: https://artifacthub.io/packages/helm/aqua/trivy-operator
  - type: Docker Image
    url: https://hub.docker.com/r/aquasec/trivy
  - type: Releases
    url: https://github.com/aquasecurity/trivy/releases
  - type: OpenAPI
    url: openapi/trivy-server-openapi.yml
  - type: JSONSchema
    url: json-schema/trivy-vulnerability-report-schema.json
  - type: JSONSchema
    url: json-schema/trivy-scan-result-schema.json
  - type: JSON Structure
    url: json-structure/trivy-scan-structure.json
  - type: JSON-LD
    url: json-ld/trivy-context.jsonld
  - type: Spectral Rules
    url: rules/trivy-rules.yml
  - type: Naftiko Capability
    url: capabilities/security-scanning.yaml
  - type: Vocabulary
    url: vocabulary/trivy-vocabulary.yml
  - type: x-profiled
    url: '2026-05'
maintainers:
  - FN: Kin Lane
    email: [email protected]