Trivy Standard
trivy fsscans dependencies and repository content.trivy configscans Terraform, Kubernetes, Helm-rendered manifests, Dockerfiles, and supported IaC/configuration.trivy imagescans the final runtime image.
Trivy Config replaces routine use of tfsec and Terrascan. Nexa does not introduce Checkov by default; it may be approved for a compliance requirement that Trivy cannot satisfy.
Native tools remain required: Terraform fmt/init/validate, TFLint, Helm lint/template, Kustomize build, and kubeconform. Trivy detects security misconfiguration; it does not prove syntax, provider resolution, or Kubernetes schema correctness.
Pin one approved Trivy version centrally and update through the nexa-ci release process.