# Trivy for dependency, container, IaC, and SBOM scanning
Scan code, containers, dependencies, Kubernetes manifests, and SBOMs with machine-readable reports.
Agent Readiness Score: 84/100
Trivy is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
## Install

- Homebrew: `brew install trivy`
- Docker: `docker run --rm -v "$PWD:/project" aquasec/trivy fs /project`

## Structured output

Supported output formats: json, sarif, table.
Prefer structured output flags such as `--json`, `--format json`, or equivalent when available.

## Safe commands

- Scan filesystem: `trivy fs --format json --output trivy.json .` — Scans dependencies and IaC files and writes JSON output.
- Scan container image: `trivy image --format json --output image-scan.json node:22` — Scans a container image for vulnerabilities.

## Commands requiring approval

- Apply remediation: `npm update && npm audit fix` — requires-review; require explicit user approval.

## Agent instructions

- Claude Code / Codex CLI: Use Trivy to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.

## Metadata

Official URL: https://trivy.dev/
GitHub: https://github.com/aquasecurity/trivy
Docs: https://trivy.dev/