🔎 Vulnerability scanners
Trivy
Container, filesystem, and IaC vulnerability scanner from Aqua Security.
Why use it
Trivy is the de-facto standard for scanning container images, filesystems, and infrastructure-as-code for known vulnerabilities. Single binary, fast, and accurate — drop it in a CI pipeline or run on demand.
What you get
- Container image vulnerability scanning (CVEs)
- Filesystem scans for installed packages
- IaC scans for Terraform, CloudFormation, Kubernetes manifests
- Secret scanning (hardcoded credentials)
- SBOM generation in SPDX or CycloneDX
System requirements
| Cpu | 1 core |
|---|---|
| Ram | 1 GB |
| Disk | 500 MB |
| Os | Linux, macOS, Windows |
| Docker | Yes |
Installation
On most Linux distros: sudo apt install trivy or use the official install script. macOS: brew install trivy. Then scan an image: trivy image alpine:latest, a directory: trivy fs /path, or a Terraform plan: trivy config ./terraform/.
Suggested configuration
Add Trivy to your container build pipeline as a quality gate — fail on Critical or High findings. For homelab Kubernetes, run trivy k8s --report summary cluster to scan everything in your cluster at once. Cache the vulnerability DB locally to avoid re-downloading on every run.
Integration ideas
- Run in GitHub Actions / GitLab CI on every PR
- Forward JSON output to Wazuh for centralised view
- Combine with Falco for runtime + image-time coverage
Alternatives
- Grype — Anchore's alternative; similar feature set.
- Snyk Open Source CLI — Free tier, requires account.
Cyentrix verdict
Mandatory if you run any containers at home. The IaC and secret scans alone make it worth installing on every homelab admin workstation.