Open source vulnerability scanner

Trivy Image Vulnerability Scanner Now Under Apache 2.0 License

In our view, making security tools easy to use is one of the best ways to increase adoption and help end users improve the security of their deployments. One of the strengths of our open source vulnerability scanner for container images, Trivy, is that it’s very easy to install and to integrate into different workflows. That’s not just our own opinion – Docker’s Security Lead, Justin Cormack, described Trivy as “incredibly easy to use and fast to scan”. But however easy we make Trivy to run as a standalone tool, it’s even easier to use when it’s pre-integrated into other parts of your system - for example, if your image registry automatically scans images for vulnerabilities.

To further reduce any barriers to integration, we’ve changed Trivy’s license from AGPL to the more permissive Apache 2.0 license. This Apache license has become the de-facto standard license across cloud native open source software. It allows you use Trivy in any way you wish - all we ask is that you credit Aqua as the authors, as described in the license.

Trivy integrations with Harbor, Docker Enterprise, and more

We’re already seeing numerous integrations from some of the most popular image registries. For example, Trivy was one of the first scanners with a plug-in adapter for the Harbor registry. Following positive feedback from users, Trivy will be the default scanner from Harbor v2.0 onwards.

 trivy-0harbor

Figure 1 Trivy scan results within the Harbor registry

Similarly, we are working with the team at Mirantis on some Trivy enhancements to support them in building Trivy into their Docker Enterprise registry solution. Miland Gadre, VP of Engineering at Mirantis, says that "After evaluating several leading options for open source vulnerability scanning, Trivy really stood out.” We’ll be sure to keep you posted when that integration is available.

Integrations aren’t just limited to registries of course. Other folks in the community have also been hard at work creating integrations and add-ons for Trivy, such as this Prometheus exporter for extracting vulnerability metrics, and this Helm chart for installing Trivy into a Kubernetes cluster.

All these integrations are great news for end users, because they make it even easier to use Trivy within different environments. We know from experience that the more you use it, the more likely you are to find and eliminate important vulnerabilities from your deployed applications.

New call-to-action

If you’ve got an idea for an integration or a new feature for Trivy, or would like to join our community in developing the world’s best open source vulnerability scanner, we’d love to hear from you on GitHub.

Picture of Liz Rice

Liz Rice

Liz Rice is the VP of Open Source Engineering at cloud native security specialists Aqua Security, where she works on container-related open source projects including kube-bench and kube-hunter. She chairs the CNCF’s Technical Oversight Committee, and in 2018 was Co-Chair of the CNCF’s KubeCon + CloudNativeCon events in Copenhagen, Shanghai and Seattle. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift.

Open Source, Image Vulnerability Scanning, Container Vulnerability