Automic VaultAutomic Vault

brew

trivy を Homebrew, apk, chocolatey, dnf, MacPorts, Nix, pacman, zypper, scoop, winget でインストール

trivy のインストール経路、実行ファイル、メタデータ、AI エージェント向けセキュリティノートを確認します。

インストール

追加のインストールコマンド

macOS

Homebrew確認済み · 100%
brew install trivy

local Homebrew formula metadata

MacPorts確認済み · 94%
sudo port install trivy

MacPorts ports tree · security/trivy/Portfile · ソース: api.github.com

Linux

Alpine Linux apk確認済み · 92%
sudo apk add trivy

Alpine Linux edge package indexes · trivy · ソース: dl-cdn.alpinelinux.org

Fedora dnf確認済み · 92%
sudo dnf install trivy

Fedora Rawhide package metadata · trivy · ソース: dl.fedoraproject.org

Nix確認済み · 92%
nix profile install nixpkgs#trivy

nixpkgs package indexes · pkgs/by-name/tr/trivy/package.nix · ソース: api.github.com

Arch Linux pacman確認済み · 92%
sudo pacman -S trivy

Arch Linux sync databases · trivy · ソース: geo.mirror.pkgbuild.com

openSUSE zypper確認済み · 92%
sudo zypper install trivy

openSUSE Tumbleweed package metadata · trivy · ソース: download.opensuse.org

Windows

Chocolatey確認済み · 92%
choco install trivy

Chocolatey community package catalog · trivy · ソース: community.chocolatey.org

Scoop確認済み · 92%
scoop install main/trivy

Scoop official bucket manifest trees · bucket/trivy.json · ソース: api.github.com

Windows Package Manager確認済み · 92%
winget install --id AquaSecurity.Trivy -e

Windows Package Manager source index · AquaSecurity.Trivy · ソース: cdn.winget.microsoft.com

概要

パッケージ概要

Vulnerability scanner for container images, file systems, and Git repos

履歴

プロジェクトの歴史と使われ方

Trivy is Aqua Security's open-source security scanner. It began public life in the container-image vulnerability scanning niche and is now documented as a comprehensive scanner for container images, filesystems, Git repositories, VM images, and Kubernetes.

プロジェクトの歴史

Aqua's official blog announced on August 19, 2019 that Trivy, described there as a popular open-source container image vulnerability scanner, had joined the Aqua open-source family. The current project README shows how the scope expanded: Trivy now has multiple target types and scanners, including vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and license scanning.

That expansion mirrors the wider cloud-native security shift from image scanning as a point task to supply-chain and runtime-adjacent checks in CI, repositories, Kubernetes clusters, and local filesystems. Trivy's own docs and README frame it as a single CLI front end for those related checks rather than a collection of separate tools.

採用の歴史

The official homepage calls Trivy the most popular open-source security scanner for vulnerability scanning, IaC, SBOM discovery, cloud scanning, and Kubernetes security. The README lists integrations with GitHub Actions, the Trivy Kubernetes operator, and a VS Code extension, while the installation docs distinguish official and community install channels.

Homebrew adoption fits the way Trivy is commonly used: installed as a local CLI for developers and CI authors, run in Docker for pipeline isolation, and embedded into GitHub Actions or Kubernetes workflows for continuous scanning. Its package-manager presence is not ornamental; the package is a common entry point for trying a scanner before wiring it into automation.

使われ方

The README's general pattern is `trivy <target> [--scanners <scanner1,scanner2>] <subject>`. Examples include `trivy image python:3.4-alpine`, filesystem scans such as `trivy fs --scanners vuln,secret,misconfig myproject/`, and Kubernetes scans such as `trivy k8s --report summary cluster`.

In the package-nerd niche, Trivy is often used to inspect what a package, container image, repository, lockfile, or cluster would expose to a vulnerability database or policy scanner. The same executable can produce quick local answers and also serve as the scanner behind CI jobs, image-registry checks, and Kubernetes security reports.

パッケージ好きにとっての重要性

Trivy is significant because it connects package metadata to security outcomes. It reads OS packages and language dependencies, maps them to CVEs and other findings, and can emit SBOM-centered views. For people who track package ecosystems, it is both a user-facing CLI and a packaging/data-source stress test across distros, language lockfiles, images, and repositories.

It is also a good example of a security CLI becoming infrastructure: package managers install it, CI systems wrap it, Kubernetes operators schedule it, and downstream tools consume its reports. That makes its history more important than a normal formula entry.

タイムライン

  • 2019-08-19: Aqua announced that Trivy had joined the Aqua open-source family.
  • Current README: Trivy documents targets including container images, filesystems, Git repositories, VM images, and Kubernetes.
  • Current README: Trivy documents scanners for vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and licenses.
  • Current docs: Installation documentation covers official and community channels and points users to CI/CD, IDE, Kubernetes, and other integrations.

Related projects

  • Aqua Security, Trivy DB, Trivy Operator, trivy-action, Harbor scanner integrations, Kubernetes, SBOM tooling

セキュリティ状態

リスクレベル: red

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

リスク分類器

リスク red · 信頼度 中 · escape-surveillance-offensive

理由

  • broad file, network, media, or database tool signal
  • escape, surveillance, or offensive capability signal
  • infrastructure mutation or orchestration signal

信号

  • text:container
  • text:image
  • text:vulnerability scanner

インストール挙動

  • formula メタデータに Homebrew post-install フックは記録されていません。
  • Homebrew bottle メタデータは 6 個のプラットフォームターゲットで利用できます。
  • ビルドメタデータには 1 件のビルド依存関係があります。

推奨レビュー

エージェントに無人実行させる前に、このツールが平文の認証情報を読むか、リモート状態を書き込むか、成果物を公開するか、プラグインを起動するかを確認してください。

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
trivy.yaml

実行可能ファイル

インストールされる実行可能ファイル

コマンド種類公開範囲メモ
trivycliグローバル実行可能ファイル

鮮度

バージョンと鮮度

これらの信号は、ページ生成時期、パッケージマネージャの活動、上流リリース比較を分けて示します。バージョン遅れは、証拠 URL と比較可能なバージョンがある場合だけ警告されます。

ページ生成日2026-07-10
マネージャ版0.72.0
マネージャ更新日2026-06-30
ローカルデータOK
上流最新
検出された最新v0.72.0

https://github.com/aquasecurity/trivy

  • OK鮮度警告は生成されていません。

インストールメタデータ

パッケージメタデータ

パッケージキーbrew:trivy
バージョン0.72.0
パッケージマネージャHomebrew
パッケージマネージャページhttps://formulae.brew.sh/formula/trivy
ホームページhttps://trivy.dev/
リポジトリhttps://github.com/aquasecurity/trivy
上流ドキュメントhttps://trivy.dev/latest
ライセンスApache-2.0
ソースアーカイブhttps://github.com/aquasecurity/trivy/archive/refs/tags/v0.72.0.tar.gz
最終更新2026-06-30T10:15:59Z
Pulseupdated
ビルド依存関係go
Bottle利用可能 (対象 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-install未定義
サービス宣言なし

レジストリ情報

ソースデータベース詳細

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nametrivy
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

ソースデータベース一致

他のパッケージマネージャ記録

一致は外部パッケージマネージャインデックスから取得され、ローカルの Automic Vault パッケージリンクとは分けて表示されます。

Nix95%

trivy

nix profile install nixpkgs#trivy
  • normalized package name match
  • 一致条件: Trivy
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/tr/trivy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

trivy 0.71.0-r0

Simple and comprehensive vulnerability scanner for containers

https://github.com/aquasecurity/trivy

sudo apk add trivy
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: trivy
  • 1 依存関係
  • 1 提供
  • normalized package name match
  • 一致条件: Trivy
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: trivy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
dnf95%

trivy 0.69.3-1.fc45

Vulnerability and license scanner

https://github.com/aquasecurity/trivy

sudo dnf install trivy
  • License: Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause-Views AND BSD-3-Clause AND BSL-1.0 AND ISC AND LicenseRef-Fedora-Public-Domain AND MIT AND MIT-0 AND MPL-2.0 AND
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: trivy
  • 3 依存関係
  • 2 提供
  • normalized package name match
  • 一致条件: Trivy
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: trivy from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

trivy 0.71.1-1

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

https://github.com/aquasecurity/trivy

sudo pacman -S trivy
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 依存関係
  • 1 提供
  • 1 任意依存関係
  • normalized package name match
  • 一致条件: Trivy
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: trivy from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

trivy 0.71.0-1.1

A Simple and Comprehensive Vulnerability Scanner for Containers

https://github.com/aquasecurity/trivy

sudo zypper install trivy
  • License: Apache-2.0
  • Category: System/Management
  • Architecture: x86_64
  • Source Package: trivy
  • 3 依存関係
  • 1 提供
  • normalized package name match
  • 一致条件: Trivy
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: trivy from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

trivy

sudo port install trivy
  • normalized package name match
  • 一致条件: Trivy
MacPorts ports tree · api.github.com · MacPorts ports tree: security/trivy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Chocolatey95%

trivy

choco install trivy
  • normalized package name match
  • 一致条件: Trivy
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: trivy from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','timberwinr'
Scoop95%

main/trivy

scoop install main/trivy
  • normalized package name match
  • 一致条件: Trivy
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/trivy.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

AquaSecurity.Trivy

winget install --id AquaSecurity.Trivy -e
  • normalized package name match
  • 一致条件: Trivy
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: AquaSecurity.Trivy from https://cdn.winget.microsoft.com/cache/source.msix

ソース経路

リポジトリデータから生成

このページは scripts/generate-pkg-sqlite.py が生成した非公開のパッケージ SQLite アーティファクトから av-web によって提供されます。

使用ソース

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment