84 /100
Trivy is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Structured output 88/100
Supports machine-readable scan output suitable for agent summaries and CI reports.
Non-interactive use 88/100
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Safety boundaries 76/100
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Agent docs 82/100
Help output and documented examples are sufficient for building AGENTS.md command rules.
安装方式
Homebrew
$ brew install trivy Docker
$ docker run --rm -v "$PWD:/project" aquasec/trivy fs /project 常用命令
Scan filesystem · 安全
$ trivy fs --format json --output trivy.json . Scans dependencies and IaC files and writes JSON output.
Scan container image · 安全
$ trivy image --format json --output image-scan.json node:22 Scans a container image for vulnerabilities.
Apply remediation · 需确认
$ npm update && npm audit fix Remediation changes dependencies and should require review.
Agent 使用示例
Claude Code / Codex CLI
Use Trivy to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. 安全说明
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent 工作流
在依赖或容器变更前运行 Trivy 生成报告。让 Agent 按严重级别、包名、修复版本和自动修复风险来排序。
审批边界
依赖升级、镜像重建和策略修改只能提出建议,不能自动执行。