Tool integration

Trivy Integration Guide

Comprehensive scanner for containers, filesystems, and IaC

Get a Free API Key

Integrate Trivy with Vulnetix. Scan containers, filesystems, git repos, and infrastructure code for vulnerabilities, misconfigurations, secrets, and licenses.

CLI toolSARIFCycloneDXSPDX

Install & scan

$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
$ trivy fs . --format sarif --output trivy.sarif

Run Trivy in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Trivy
  run: |
    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Run Trivy
  run: trivy fs . --severity CRITICAL,HIGH --format sarif --output trivy.sarif
- name: Upload to Vulnetix
  run: vulnetix upload --file trivy.sarif

How Vulnetix compares — better together

Vulnetix does not replace Trivy. Keep running it. Vulnetix sits on top of Trivy — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Trivy is strongest at its core category and also carries features in SCA, IaC & Cloud Configuration, Secret Scanning, License Compliance, SBOM Generation, Cloud Security & CSPM — just like Vulnetix spans categories.

CapabilityVulnetixTrivy
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graphCVEs in OS packages and language dependencies (many ecosystems)
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, DockerfileCore: scans OS layers + app deps in container/OCI images
IaC / misconfigurationTerraform, k8s, CloudFormationMisconfig checks for Terraform, CloudFormation, Dockerfile, K8s
Secret scanning1,000+ rules, source + binary + git historyBuilt-in secret/credential scanning of filesystems and images
Cloud / CSPMCloud-posture findings, compliance tab~ K8s cluster scanning core; live AWS account scan now a separate trivy-aws plugin (deprecated from core)
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy~ License detection for packages and files
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableGenerates + scans CycloneDX and SPDX SBOMs
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable~ Consumes VEX documents to filter results; does not mint versioned VEX
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Trivy does well

Where Vulnetix adds to it: Trivy is the open-source scanner; Vulnetix ingests its output and layers on cross-scanner dedup into one prioritised queue, exploit-intel scoring (EPSS/KEV/LEV), reachability, immutable versioned VEX + audit, and Safe Harbour autofix — capabilities Trivy leaves to the platform above it.

No migration, no rip-and-replace. Trivy keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Trivy results in Vulnetix

Upload Trivy SARIF, CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Trivy documentation ↗  ·  Source repository ↗

Wire Trivy into your CI/CD pipeline →