Integrate Trivy with Vulnetix. Scan containers, filesystems, git repos, and infrastructure code for vulnerabilities, misconfigurations, secrets, and licenses.
Install & scan
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin $ trivy fs . --format sarif --output trivy.sarif
Run Trivy in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Run Trivy
run: trivy fs . --severity CRITICAL,HIGH --format sarif --output trivy.sarif
- name: Upload to Vulnetix
run: vulnetix upload --file trivy.sarif
How Vulnetix compares — better together
Vulnetix does not replace Trivy. Keep running it. Vulnetix sits on top of Trivy — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Trivy is strongest at its core category and also carries features in SCA, IaC & Cloud Configuration, Secret Scanning, License Compliance, SBOM Generation, Cloud Security & CSPM — just like Vulnetix spans categories.
| Capability | Vulnetix | Trivy |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✓ CVEs in OS packages and language dependencies (many ecosystems) |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✓ Core: scans OS layers + app deps in container/OCI images |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✓ Misconfig checks for Terraform, CloudFormation, Dockerfile, K8s |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ Built-in secret/credential scanning of filesystems and images |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ~ K8s cluster scanning core; live AWS account scan now a separate trivy-aws plugin (deprecated from core) |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ~ License detection for packages and files |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✓ Generates + scans CycloneDX and SPDX SBOMs |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ~ Consumes VEX documents to filter results; does not mint versioned VEX |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Trivy does well
- Free, open-source single binary that scans images, filesystems, git repos, K8s clusters and IaC with one command — a dominant CI/CD default
- Broad OS + language-dependency vuln coverage across many distros and ecosystems, fast and offline-capable
- Generates and scans CycloneDX and SPDX SBOMs, and can consume VEX documents to filter noise
- All-in-one target coverage: vulns, IaC misconfig, secrets and license checks in the same tool
Where Vulnetix adds to it: Trivy is the open-source scanner; Vulnetix ingests its output and layers on cross-scanner dedup into one prioritised queue, exploit-intel scoring (EPSS/KEV/LEV), reachability, immutable versioned VEX + audit, and Safe Harbour autofix — capabilities Trivy leaves to the platform above it.
No migration, no rip-and-replace. Trivy keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Trivy results in Vulnetix
Upload Trivy SARIF, CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.