Trivy Server
Vulnerability scanner server for containers and code.
Overview
Trivy is an open-source vulnerability scanner developed by Aqua Security that detects security issues in container images, filesystems, Git repositories, and Kubernetes clusters. Originally released in 2019, Trivy has become one of the most popular security scanning tools in the container ecosystem due to its comprehensive vulnerability database, fast scanning speeds, and zero-configuration approach. It supports multiple programming languages and package managers, making it versatile for diverse development environments. This Docker Compose setup deploys Trivy in server mode, creating a centralized vulnerability scanning service that multiple clients can connect to remotely. The server configuration eliminates the need for each client to download and maintain their own vulnerability database, significantly reducing bandwidth usage and improving scan performance across teams. The persistent cache volume ensures that vulnerability database updates are retained between container restarts, maintaining optimal scanning efficiency. Security teams, DevOps engineers, and development organizations benefit from this centralized approach as it provides consistent vulnerability scanning across CI/CD pipelines, development environments, and production systems. The server mode is particularly valuable for organizations with multiple scanning clients, air-gapped environments, or those looking to implement security scanning at scale without duplicating database downloads across every scanning instance.
Key Features
- Multi-format vulnerability detection supporting OS packages, language-specific dependencies, and Infrastructure as Code misconfigurations
- Centralized vulnerability database management with automatic updates from multiple security advisory sources
- RESTful API server enabling remote scanning operations from distributed clients
- Support for SBOM (Software Bill of Materials) generation in CycloneDX and SPDX formats
- Integration with CI/CD pipelines through configurable exit codes for vulnerability thresholds
- Multiple output formats including JSON, SARIF, and table formats for different automation needs
- Offline scanning capabilities with cached vulnerability databases for air-gapped environments
- Kubernetes manifest and Helm chart security scanning for cloud-native deployments
Common Use Cases
- 1Centralized container image scanning for organizations with multiple development teams and CI/CD pipelines
- 2Security compliance auditing in enterprise environments requiring consistent vulnerability assessment across projects
- 3DevSecOps implementations where security scanning needs to be integrated into automated deployment workflows
- 4Air-gapped or restricted network environments where centralized vulnerability database management is essential
- 5Software supply chain security monitoring for organizations tracking third-party dependencies and licenses
- 6Container registry integration for automated vulnerability scanning of newly pushed images
- 7Kubernetes cluster security assessment combining image scanning with configuration validation
Prerequisites
- Docker Engine 20.10 or higher with Docker Compose v2 support
- Minimum 2GB RAM allocated to Docker for vulnerability database caching and scanning operations
- Available port 4954 for Trivy server API access and client connections
- Internet connectivity for initial vulnerability database download (approximately 200MB)
- Basic understanding of container security concepts and vulnerability assessment workflows
- Trivy client installation on systems that will perform remote scanning operations
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 trivy: 3 image: aquasec/trivy:latest4 container_name: trivy5 command: server --listen 0.0.0.0:49546 restart: unless-stopped7 ports: 8 - "4954:4954"9 volumes: 10 - trivy_cache:/root/.cache/trivy1112volumes: 13 trivy_cache: .env Template
.env
1# Configure client: trivy client --remote http://localhost:4954Usage Notes
- 1Docs: https://aquasecurity.github.io/trivy/
- 2Scan via client: trivy client --remote http://localhost:4954 image nginx:latest
- 3Scan types: image, filesystem, repo, config, kubernetes
- 4Server mode shares vulnerability DB cache across multiple clients
- 5Output formats: table, json, sarif, cyclonedx, spdx for SBOM
- 6CI/CD: --exit-code 1 to fail build on vulnerabilities found
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 trivy:5 image: aquasec/trivy:latest6 container_name: trivy7 command: server --listen 0.0.0.0:49548 restart: unless-stopped9 ports:10 - "4954:4954"11 volumes:12 - trivy_cache:/root/.cache/trivy1314volumes:15 trivy_cache:16EOF1718# 2. Create the .env file19cat > .env << 'EOF'20# Configure client: trivy client --remote http://localhost:495421EOF2223# 3. Start the services24docker compose up -d2526# 4. View logs27docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/trivy-server/run | bashTroubleshooting
- Database download timeout errors: Increase Docker container memory limits and ensure stable internet connection during initial startup
- Client connection refused on port 4954: Verify firewall rules allow inbound connections and container is fully started with database loaded
- Scan failures with 'database not ready' message: Wait for initial vulnerability database download to complete before attempting scans
- Out of disk space errors: Monitor trivy_cache volume usage as vulnerability databases can grow to several gigabytes over time
- Slow scan performance: Ensure trivy_cache volume is using fast storage and consider increasing container CPU allocation for large image scans
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Ad Space
Shortcuts: C CopyF FavoriteD Download