Skip to main content

Trivy Integration

Pixee integrates with Trivy to triage findings and deliver remediation as pull requests. Trivy's breadth — container images, dependencies, IaC, secrets — produces high-volume output. A single container base image can have hundreds of known CVEs, most of which are not exploitable in your application's context. Pixee's exploitability analysis classifies each finding so teams can focus on what is actually reachable and fixable. Trivy continues scanning as configured; Pixee adds the triage and fix layer it does not provide.

Trivy is Aqua Security's open-source scanner, widely adopted in cloud-native and DevSecOps environments.

What Trivy Detects

  • Container image vulnerabilities — OS packages and application dependencies
  • SCA — open-source dependency vulnerabilities
  • Infrastructure as Code (IaC) misconfigurations — Terraform, CloudFormation, Kubernetes manifests, Dockerfiles
  • Secret detection — hardcoded credentials, API keys
  • License compliance issues
  • SBOM generation — CycloneDX and SPDX formats

Trivy produces SARIF output natively, making it highly interoperable with downstream tools.

How Pixee Enhances Trivy

Triage

Trivy's breadth is its strength and its challenge. Container image scans can surface hundreds of CVEs in OS packages, most of which are not exploitable in the application's context. Pixee's triage pipeline classifies each finding by exploitability and actionability, separating real threats from noise. For code-level findings and IaC misconfigurations, the triage engine investigates the actual codebase to determine whether the finding represents a real risk. For dependency vulnerabilities found in container image scans, Pixee can generate dependency update fixes where the dependency is managed in your source code.

Remediation

Trivy identifies vulnerabilities but does not generate code fixes. Pixee delivers fixes as pull requests — updating dependency versions, fixing IaC misconfigurations, and remediating code-level findings using both deterministic codemods and AI-powered generation.

For the full list of vulnerability types Pixee triages and fixes, see What Pixee Fixes.

Setup

  1. Install Pixee for your platform — see Connect Source Control for GitHub, GitLab, Azure DevOps, and Bitbucket.
  2. Configure Trivy to output SARIF — add --format sarif to your Trivy command or CI pipeline step.
  3. Upload SARIF to Pixee — configure SARIF upload in your CI pipeline or use the Pixee integration endpoint.
  4. Review and merge — Pixee triages findings and opens PRs for remediable issues.

Prerequisites: Trivy installed in your CI pipeline or locally, Pixee platform integration configured.

See Integrations Overview for the full scanner coverage matrix.