Automic VaultAutomic Vault

brew

使用 Homebrew, apk, chocolatey, dnf, MacPorts, Nix, pacman, zypper, scoop, winget 安装 trivy

查看 trivy 的安装路径、可执行文件、元数据以及面向 AI 代理工作流的安全说明。

安装

其他安装命令

macOS

Homebrew已验证 · 100%
brew install trivy

local Homebrew formula metadata

MacPorts已验证 · 94%
sudo port install trivy

MacPorts ports tree · security/trivy/Portfile · 来源: api.github.com

Linux

Alpine Linux apk已验证 · 92%
sudo apk add trivy

Alpine Linux edge package indexes · trivy · 来源: dl-cdn.alpinelinux.org

Fedora dnf已验证 · 92%
sudo dnf install trivy

Fedora Rawhide package metadata · trivy · 来源: dl.fedoraproject.org

Nix已验证 · 92%
nix profile install nixpkgs#trivy

nixpkgs package indexes · pkgs/by-name/tr/trivy/package.nix · 来源: api.github.com

Arch Linux pacman已验证 · 92%
sudo pacman -S trivy

Arch Linux sync databases · trivy · 来源: geo.mirror.pkgbuild.com

openSUSE zypper已验证 · 92%
sudo zypper install trivy

openSUSE Tumbleweed package metadata · trivy · 来源: download.opensuse.org

Windows

Chocolatey已验证 · 92%
choco install trivy

Chocolatey community package catalog · trivy · 来源: community.chocolatey.org

Scoop已验证 · 92%
scoop install main/trivy

Scoop official bucket manifest trees · bucket/trivy.json · 来源: api.github.com

Windows Package Manager已验证 · 92%
winget install --id AquaSecurity.Trivy -e

Windows Package Manager source index · AquaSecurity.Trivy · 来源: cdn.winget.microsoft.com

概览

软件包摘要

Vulnerability scanner for container images, file systems, and Git repos

命令和别名

  • trivy

历史

项目历史与用法

Trivy is Aqua Security's open-source security scanner. It began public life in the container-image vulnerability scanning niche and is now documented as a comprehensive scanner for container images, filesystems, Git repositories, VM images, and Kubernetes.

项目历史

Aqua's official blog announced on August 19, 2019 that Trivy, described there as a popular open-source container image vulnerability scanner, had joined the Aqua open-source family. The current project README shows how the scope expanded: Trivy now has multiple target types and scanners, including vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and license scanning.

That expansion mirrors the wider cloud-native security shift from image scanning as a point task to supply-chain and runtime-adjacent checks in CI, repositories, Kubernetes clusters, and local filesystems. Trivy's own docs and README frame it as a single CLI front end for those related checks rather than a collection of separate tools.

采用历史

The official homepage calls Trivy the most popular open-source security scanner for vulnerability scanning, IaC, SBOM discovery, cloud scanning, and Kubernetes security. The README lists integrations with GitHub Actions, the Trivy Kubernetes operator, and a VS Code extension, while the installation docs distinguish official and community install channels.

Homebrew adoption fits the way Trivy is commonly used: installed as a local CLI for developers and CI authors, run in Docker for pipeline isolation, and embedded into GitHub Actions or Kubernetes workflows for continuous scanning. Its package-manager presence is not ornamental; the package is a common entry point for trying a scanner before wiring it into automation.

使用方式

The README's general pattern is `trivy <target> [--scanners <scanner1,scanner2>] <subject>`. Examples include `trivy image python:3.4-alpine`, filesystem scans such as `trivy fs --scanners vuln,secret,misconfig myproject/`, and Kubernetes scans such as `trivy k8s --report summary cluster`.

In the package-nerd niche, Trivy is often used to inspect what a package, container image, repository, lockfile, or cluster would expose to a vulnerability database or policy scanner. The same executable can produce quick local answers and also serve as the scanner behind CI jobs, image-registry checks, and Kubernetes security reports.

为什么软件包爱好者会关心

Trivy is significant because it connects package metadata to security outcomes. It reads OS packages and language dependencies, maps them to CVEs and other findings, and can emit SBOM-centered views. For people who track package ecosystems, it is both a user-facing CLI and a packaging/data-source stress test across distros, language lockfiles, images, and repositories.

It is also a good example of a security CLI becoming infrastructure: package managers install it, CI systems wrap it, Kubernetes operators schedule it, and downstream tools consume its reports. That makes its history more important than a normal formula entry.

时间线

  • 2019-08-19: Aqua announced that Trivy had joined the Aqua open-source family.
  • Current README: Trivy documents targets including container images, filesystems, Git repositories, VM images, and Kubernetes.
  • Current README: Trivy documents scanners for vulnerabilities, SBOM/package inventory, IaC misconfiguration, secrets, and licenses.
  • Current docs: Installation documentation covers official and community channels and points users to CI/CD, IDE, Kubernetes, and other integrations.

Related projects

  • Aqua Security, Trivy DB, Trivy Operator, trivy-action, Harbor scanner integrations, Kubernetes, SBOM tooling

安全态势

风险级别:red

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

风险分类器

red 风险 · 中 置信度 · escape-surveillance-offensive

原因

  • broad file, network, media, or database tool signal
  • escape, surveillance, or offensive capability signal
  • infrastructure mutation or orchestration signal

信号

  • text:container
  • text:image
  • text:vulnerability scanner

安装行为

  • formula 元数据中未记录 Homebrew post-install 钩子。
  • Homebrew bottle 元数据适用于 6 个平台目标。
  • 构建元数据列出 1 个构建依赖。

建议审查

在无人值守的代理使用前,请检查该工具是否读取明文凭据、写入远程状态、发布制品或调用插件。

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
trivy.yaml

可执行文件

已安装的可执行文件

命令类型暴露范围备注
trivycli全局可执行文件

新鲜度

版本和新鲜度

这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。

页面生成时间2026-07-10
管理器版本0.72.0
管理器更新时间2026-06-30
本地数据OK
上游当前
检测到的最新版本v0.72.0

https://github.com/aquasecurity/trivy

  • OK没有生成新鲜度警告。

安装元数据

软件包元数据

软件包键brew:trivy
版本0.72.0
软件包管理器Homebrew
软件包管理器页面https://formulae.brew.sh/formula/trivy
主页https://trivy.dev/
仓库https://github.com/aquasecurity/trivy
上游文档https://trivy.dev/latest
许可证Apache-2.0
源码归档https://github.com/aquasecurity/trivy/archive/refs/tags/v0.72.0.tar.gz
最后更新2026-06-30T10:15:59Z
Pulseupdated
构建依赖go
Bottle可用 (于 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-install未定义
服务未声明

注册表事实

源数据库详情

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nametrivy
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

源数据库匹配

其他软件包管理器记录

匹配项来自外部软件包管理器索引,并与本地 Automic Vault 软件包链接分开显示。

Nix95%

trivy

nix profile install nixpkgs#trivy
  • normalized package name match
  • 匹配方式:Trivy
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/tr/trivy/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

trivy 0.71.0-r0

Simple and comprehensive vulnerability scanner for containers

https://github.com/aquasecurity/trivy

sudo apk add trivy
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: trivy
  • 1 依赖
  • 1 提供
  • normalized package name match
  • 匹配方式:Trivy
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: trivy from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
dnf95%

trivy 0.69.3-1.fc45

Vulnerability and license scanner

https://github.com/aquasecurity/trivy

sudo dnf install trivy
  • License: Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause-Views AND BSD-3-Clause AND BSL-1.0 AND ISC AND LicenseRef-Fedora-Public-Domain AND MIT AND MIT-0 AND MPL-2.0 AND
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: trivy
  • 3 依赖
  • 2 提供
  • normalized package name match
  • 匹配方式:Trivy
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: trivy from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

trivy 0.71.1-1

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

https://github.com/aquasecurity/trivy

sudo pacman -S trivy
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 依赖
  • 1 提供
  • 1 可选依赖
  • normalized package name match
  • 匹配方式:Trivy
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: trivy from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

trivy 0.71.0-1.1

A Simple and Comprehensive Vulnerability Scanner for Containers

https://github.com/aquasecurity/trivy

sudo zypper install trivy
  • License: Apache-2.0
  • Category: System/Management
  • Architecture: x86_64
  • Source Package: trivy
  • 3 依赖
  • 1 提供
  • normalized package name match
  • 匹配方式:Trivy
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: trivy from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

trivy

sudo port install trivy
  • normalized package name match
  • 匹配方式:Trivy
MacPorts ports tree · api.github.com · MacPorts ports tree: security/trivy/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Chocolatey95%

trivy

choco install trivy
  • normalized package name match
  • 匹配方式:Trivy
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: trivy from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','timberwinr'
Scoop95%

main/trivy

scoop install main/trivy
  • normalized package name match
  • 匹配方式:Trivy
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/trivy.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

AquaSecurity.Trivy

winget install --id AquaSecurity.Trivy -e
  • normalized package name match
  • 匹配方式:Trivy
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: AquaSecurity.Trivy from https://cdn.winget.microsoft.com/cache/source.msix

来源线索

由仓库数据生成

此页面由 av-webscripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。

使用的来源

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment