# Install trivy with Homebrew, apk, chocolatey, dnf, MacPorts, Nix, pacman, scoop, winget, zypper

Vulnerability scanner for container images, file systems, and Git repos. Version 0.72.0 via Homebrew; verified 2026-06-30.

## Install

```sh
sudo av install brew:trivy
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install trivy
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install trivy
```

  Evidence: MacPorts ports tree: security/trivy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add trivy
```

  Evidence: Alpine Linux edge package indexes: trivy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- dnf (92%):

```sh
sudo dnf install trivy
```

  Evidence: Fedora Rawhide package metadata: trivy from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#trivy
```

  Evidence: nixpkgs package indexes: pkgs/by-name/tr/trivy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S trivy
```

  Evidence: Arch Linux sync databases: trivy from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install trivy
```

  Evidence: openSUSE Tumbleweed package metadata: trivy from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install trivy
```

  Evidence: Chocolatey community package catalog: trivy from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','timberwinr'

- Scoop (92%):

```sh
scoop install main/trivy
```

  Evidence: Scoop official bucket manifest trees: bucket/trivy.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id AquaSecurity.Trivy -e
```

  Evidence: Windows Package Manager source index: AquaSecurity.Trivy from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:trivy
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/trivy>
- **Version:** 0.72.0
- **Source summary:** Vulnerability scanner for container images, file systems, and Git repos
- **Homepage:** <https://trivy.dev/>
- **Repository:** <https://github.com/aquasecurity/trivy>
- **Upstream docs:** <https://trivy.dev/latest>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/aquasecurity/trivy/archive/refs/tags/v0.72.0.tar.gz>
- **Last updated:** 2026-06-30T10:15:59Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- trivy (cli)
- trivy (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.72.0
- Package-manager updated: 2026-06-30
- Local data: ok
- Upstream repository: https://github.com/aquasecurity/trivy
- Upstream latest detected: v0.72.0 (current)
## Project history and usage

Trivy is Aqua Security's open-source security scanner. It began public life in the container-image vulnerability scanning niche and is now documented as a comprehensive scanner for container images, filesystems, Git repositories, VM images, and Kubernetes.

### Project history

Aqua's official blog announced on August 19, 2019 that Trivy, described there as a popular open-source container image vulnerability scanner, had joined the Aqua open-source family. The current project README shows how the scope expanded: Trivy now has multiple target types and scanners, including vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and license scanning.

That expansion mirrors the wider cloud-native security shift from image scanning as a point task to supply-chain and runtime-adjacent checks in CI, repositories, Kubernetes clusters, and local filesystems. Trivy's own docs and README frame it as a single CLI front end for those related checks rather than a collection of separate tools.

### Adoption history

The official homepage calls Trivy the most popular open-source security scanner for vulnerability scanning, IaC, SBOM discovery, cloud scanning, and Kubernetes security. The README lists integrations with GitHub Actions, the Trivy Kubernetes operator, and a VS Code extension, while the installation docs distinguish official and community install channels.

Homebrew adoption fits the way Trivy is commonly used: installed as a local CLI for developers and CI authors, run in Docker for pipeline isolation, and embedded into GitHub Actions or Kubernetes workflows for continuous scanning. Its package-manager presence is not ornamental; the package is a common entry point for trying a scanner before wiring it into automation.

### How it is used

The README's general pattern is `trivy <target> [--scanners <scanner1,scanner2>] <subject>`. Examples include `trivy image python:3.4-alpine`, filesystem scans such as `trivy fs --scanners vuln,secret,misconfig myproject/`, and Kubernetes scans such as `trivy k8s --report summary cluster`.

In the package-nerd niche, Trivy is often used to inspect what a package, container image, repository, lockfile, or cluster would expose to a vulnerability database or policy scanner. The same executable can produce quick local answers and also serve as the scanner behind CI jobs, image-registry checks, and Kubernetes security reports.

### Why package nerds care

Trivy is significant because it connects package metadata to security outcomes. It reads OS packages and language dependencies, maps them to CVEs and other findings, and can emit SBOM-centered views. For people who track package ecosystems, it is both a user-facing CLI and a packaging/data-source stress test across distros, language lockfiles, images, and repositories.

It is also a good example of a security CLI becoming infrastructure: package managers install it, CI systems wrap it, Kubernetes operators schedule it, and downstream tools consume its reports. That makes its history more important than a normal formula entry.

### Timeline

- 2019-08-19: Aqua announced that Trivy had joined the Aqua open-source family.
- Current README: Trivy documents targets including container images, filesystems, Git repositories, VM images, and Kubernetes.
- Current README: Trivy documents scanners for vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and licenses.
- Current docs: Installation documentation covers official and community channels and points users to CI/CD, IDE, Kubernetes, and other integrations.

### Related projects

- Aqua Security, Trivy DB, Trivy Operator, trivy-action, Harbor scanner integrations, Kubernetes, SBOM tooling

### Sources

- <https://github.com/aquasecurity/trivy#readme>
- <https://trivy.dev/>
- <https://trivy.dev/docs/latest/getting-started/installation/>
- <https://www.aquasec.com/blog/trivy-vulnerability-scanner-joins-aqua-family/>


## Security Notes

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- broad file, network, media, or database tool signal
- escape, surveillance, or offensive capability signal
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: trivy.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** trivy
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - trivy: normalized package name match | nixpkgs package indexes: pkgs/by-name/tr/trivy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - trivy - 0.71.0-r0: normalized package name match | Alpine Linux edge package indexes: trivy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Simple and comprehensive vulnerability scanner for containers | https://github.com/aquasecurity/trivy
- dnf - trivy - 0.69.3-1.fc45: normalized package name match | Fedora Rawhide package metadata: trivy from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Vulnerability and license scanner | https://github.com/aquasecurity/trivy
- pacman - trivy - 0.71.1-1: normalized package name match | Arch Linux sync databases: trivy from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI | https://github.com/aquasecurity/trivy
- zypper - trivy - 0.71.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: trivy from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | A Simple and Comprehensive Vulnerability Scanner for Containers | https://github.com/aquasecurity/trivy
- MacPorts - trivy: normalized package name match | MacPorts ports tree: security/trivy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Chocolatey - trivy: normalized package name match | Chocolatey community package catalog: trivy from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','timberwinr'
- Scoop - main/trivy: normalized package name match | Scoop official bucket manifest trees: bucket/trivy.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - AquaSecurity.Trivy: normalized package name match | Windows Package Manager source index: AquaSecurity.Trivy from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Popular package that depends on this formula.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, sbom, security, vulnerability-scanner.
- [retire](https://www.automicvault.com/pkg/brew/retire/) - Shares av.db curated category or tags: cli, sbom, security, vulnerability-scanner.
- [bom](https://www.automicvault.com/pkg/brew/bom/) - Shares av.db curated category or tags: cli, sbom, security.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cli, sbom, security.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: cli, sbom, security.
- [cyclonedx-gomod](https://www.automicvault.com/pkg/brew/cyclonedx-gomod/) - Shares av.db curated category or tags: cli, sbom, security.
- [cyclonedx-python](https://www.automicvault.com/pkg/brew/cyclonedx-python/) - Shares av.db curated category or tags: cli, sbom, security.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, container, filesystem, images, scanner.

## Combined YAML source

View the package source record on GitHub. [combined/trivy.yml](https://github.com/automic-vault/db/blob/main/combined/trivy.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
