Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Why it is included
Single CLI covering vulnerabilities and misconfigs—common in supply-chain pipelines.
Best for
DevSecOps gates from registry scan to Terraform and K8s YAML review.
Strengths
- Broad targets
- SARIF
- Operator and cache options
Limitations
- Rule/db freshness depends on update cadence
Good alternatives
Grype · Checkov · Terrascan
Related tools
Security & Privacy
Grype
Vulnerability scanner for container images and filesystems using Anchore’s vulnerability DB and Syft SBOM input.
Security & Privacy
Syft
CLI and library for generating SBOMs (SPDX, CycloneDX) from images, directories, and archives.
Security & Privacy
Checkov
Static analysis for Terraform, CloudFormation, Kubernetes, Docker, and more—hundreds of built-in policy checks.
Security & Privacy
Clair
Static analysis engine for container images: layer indexing and vulnerability matching against NVD and distro feeds.
Security & Privacy
Terrascan
IaC scanner detecting security issues across Terraform, Kubernetes, Helm, Docker, and cloud APIs via OPA/Rego policies.
Security & Privacy
Kubescape
Kubernetes security scanner for misconfigurations, RBAC, compliance frameworks (NSA/CIS), and image vulnerabilities.