Skip to content

Trivy Standard

  • trivy fs scans dependencies and repository content.
  • trivy config scans Terraform, Kubernetes, Helm-rendered manifests, Dockerfiles, and supported IaC/configuration.
  • trivy image scans the final runtime image.

Trivy Config replaces routine use of tfsec and Terrascan. Nexa does not introduce Checkov by default; it may be approved for a compliance requirement that Trivy cannot satisfy.

Native tools remain required: Terraform fmt/init/validate, TFLint, Helm lint/template, Kustomize build, and kubeconform. Trivy detects security misconfiguration; it does not prove syntax, provider resolution, or Kubernetes schema correctness.

Pin one approved Trivy version centrally and update through the nexa-ci release process.