Master
Tools

Trivy

NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the RadarUnderstand more
Published: Nov 20, 2019
Last Updated: Oct 28, 2020
Oct 2020
Adopt?

Build pipelines that create and deploy containers should include container security scanning. Our teams particularly like Trivy, a vulnerability scanner for containers. We've tried Clair and Anchore Engine among other good tools in this field. Unlike Clair, Trivy doesn’t only check containers but also dependencies in the codebase. Also, because Trivy ships as a stand-alone binary, it's easier to set up and run the scan locally. Other benefits of Trivy are that it's open-source software and that it supports distroless containers.

Nov 2019
Trial?

Build pipelines that create and deploy containers should include container security scanning. Our teams particularly like Trivy, a vulnerability scanner for containers, because it's easier to set up than other tools, thanks to it shipping as a stand-alone binary. Other benefits of Trivy are that it's open-source software and that it supports distroless containers.