Vulnerability Detection on Producthunt daily

trivy

Sun, 22 Mar 2026 15:42:57 +0800

aquasecurity/trivy

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes

Scanners (what Trivy can find there):

OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page.

To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information.

Quick Start

Get Trivy

Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:

brew install trivy
docker run aquasec/trivy
Download binary from https://github.com/aquasecurity/trivy/releases/latest/
See Installation for more

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:

Canary builds

There are canary builds (Docker Hub, GitHub, ECR images and binaries) generated with every push to the main branch.

Please be aware: canary builds might have critical bugs, so they are not recommended for use in production.

General usage

`1`	`trivy <target> [--scanners <scanner1,scanner2>] <subject>`

Examples:

`1`	`trivy image python:3.4-alpine`

Result

https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov

`1`	`trivy fs --scanners vuln,secret,misconfig myproject/`

Result

https://user-images.githubusercontent.com/1161307/171013917-b1f37810-f434-465c-b01a-22de036bd9b3.mov

`1`	`trivy k8s --report summary cluster`

Result

FAQ

How to pronounce the name “Trivy”?

tri is pronounced like trigger, vy is pronounced like envy.

Want more? Check out Aqua

If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users here. In addition check out the https://aquasec.com website for more information about our products and services. If you’d like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo

Community

Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here

Please ensure to abide by our Code of Conduct during all interactions.

strix

Wed, 12 Nov 2025 15:29:51 +0800

usestrix/strix

Strix

Open-source AI Hackers to secure your Apps

:star: Love Strix? Give us a star to help other developers discover it!

[!TIP] New! Strix now integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production!

[!WARNING] Only test systems you own or have permission to test. You are responsible for using Strix ethically and legally.

🦉 Strix Overview

Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.

Full hacker toolkit out of the box
Teams of agents that collaborate and scale
Real validation with PoCs, not false positives
Developer‑first CLI with actionable reports
Auto‑fix & reporting to accelerate remediation

🎯 Use Cases

Detect and validate critical vulnerabilities in your applications.
Get penetration tests done in hours, not weeks, with compliance reports.
Automate bug bounty research and generate PoCs for faster reporting.
Run tests in CI/CD to block vulnerabilities before reaching production.

🚀 Quick Start

Prerequisites:

Docker (running)
Python 3.12+
An LLM provider key (or a local LLM)

# Install
pipx install strix-agent

# Configure AI provider
export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"

# Run security assessment
strix --target ./app-directory

First run pulls the sandbox Docker image. Results are saved under agent_runs/<run-name>.

🏆 Enterprise Platform

Want to skip the setup? Try our cloud-hosted version: usestrix.com

Our managed platform provides:

📈 Executive Dashboards
🧠 Custom Fine-Tuned Models
⚙️ CI/CD Integration
🔍 Large-Scale Scanning
🔌 Third-Party Integrations
🎯 Enterprise Support

Get Enterprise Demo →

✨ Features

🛠️ Agentic Security Tools

🔌 Full HTTP Proxy - Full request/response manipulation and analysis
🌐 Browser Automation - Multi-tab browser for testing of XSS, CSRF, auth flows
💻 Terminal Environments - Interactive shells for command execution and testing
🐍 Python Runtime - Custom exploit development and validation
🔍 Reconnaissance - Automated OSINT and attack surface mapping
📁 Code Analysis - Static and dynamic analysis capabilities
📝 Knowledge Management - Structured findings and attack documentation

🎯 Comprehensive Vulnerability Detection

Access Control - IDOR, privilege escalation, auth bypass
Injection Attacks - SQL, NoSQL, command injection
Server-Side - SSRF, XXE, deserialization flaws
Client-Side - XSS, prototype pollution, DOM vulnerabilities
Business Logic - Race conditions, workflow manipulation
Authentication - JWT vulnerabilities, session management
Infrastructure - Misconfigurations, exposed services

🕸️ Graph of Agents

Distributed Workflows - Specialized agents for different attacks and assets
Scalable Testing - Parallel execution for fast comprehensive coverage
Dynamic Coordination - Agents collaborate and share discoveries

💻 Usage Examples

Default Usage

# Local codebase analysis
strix --target ./app-directory

# Repository security review
strix --target https://github.com/org/repo

# Black-Box Web application assessment
strix --target https://your-app.com

# Grey-Box Security Assesment
strix --target https://your-app.com --instructions "Perform authenticated testing using the following credentials user:pass"

# Multi-target white-box testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com

# Focused testing with instructions
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"

🤖 Headless Mode

Run Strix programmatically without interactive UI using the -n/--non-interactive flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.

`1`	`strix -n --target https://your-app.com`

🔄 CI/CD (GitHub Actions)

Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:

name: strix-penetration-test

on:
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Strix
        run: pipx install strix-agent

      - name: Run Strix
        env:
          STRIX_LLM: ${{ secrets.STRIX_LLM }}
          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}

        run: strix -n -t ./

⚙️ Configuration

export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"

# Optional
export LLM_API_BASE="your-api-base-url"  # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities

📚 View supported AI models

🤝 Contributing

We welcome contributions from the community! There are several ways to contribute:

Code Contributions

See our Contributing Guide for details on:

Setting up your development environment
Running tests and quality checks
Submitting pull requests
Code style guidelines

Prompt Modules Collection

Help expand our collection of specialized prompt modules for AI agents:

Advanced testing techniques for vulnerabilities, frameworks, and technologies
See Prompt Modules Documentation for guidelines
Submit via pull requests or issues

👥 Join Our Community

Have questions? Found a bug? Want to contribute? Join our Discord!

🌟 Support the Project

Love Strix? Give us a ⭐ on GitHub!

semgrep

Sat, 26 Jul 2025 15:29:32 +0800

semgrep/semgrep

Code scanning at ludicrous speed.

Semgrep is a fast, open-source, static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards. Semgrep supports 30+ languages and can run in an IDE, as a pre-commit check, and as part of CI/CD workflows.

Semgrep is semantic grep for code. While running grep "2" would only match the exact string 2, Semgrep would match x = 1; y = x + 1 when searching for 2. Semgrep rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs.

Note that in security contexts, Semgrep Community Edition will miss many true positives as it can only analyze code within the boundaries of a single function or file. If you want to use Semgrep for security purposes (SAST, SCA, or secrets scanning), the Semgrep AppSec Platform is strongly recommended since it adds the following critical capabilities:

Improved core analysis capabilities (cross-file, cross-function, data-flow reachability) that greatly reduce false positives by 25% and increase detected true positives by 250%
Contextual post-processing of findings with Semgrep Assistant (AI) to further reduce noise by ~20%. In addition, Assistant enriches findings with tailored, step-by-step remediation guidance that humans find actionable >80% of the time.
Customizable policies and seamless integration into developer workflows, giving security teams granular control over where, when, and how different findings are presented to developers (IDE, PR comment, etc.)

The Semgrep AppSec Platform works out-of-the-box with 20000+ proprietary rules across SAST, SCA, and secrets. Pro rules are written and maintained by the Semgrep security research team and are highly accurate, meaning AppSec teams can feel confident bringing findings directly to developers without slowing them down.

Semgrep analyzes code locally on your computer or in your build environment: by default, code is never uploaded. Get started →.

Language support

Semgrep Code supports 30+ languages, including:

Apex · Bash · C · C++ · C# · Clojure · Dart · Dockerfile · Elixir · HTML · Go · Java · JavaScript · JSX · JSON · Julia · Jsonnet · Kotlin · Lisp · Lua · OCaml · PHP · Python · R · Ruby · Rust · Scala · Scheme · Solidity · Swift · Terraform · TypeScript · TSX · YAML · XML · Generic (ERB, Jinja, etc.)

Semgrep Supply Chain supports 12 languages across 15 package managers, including:

C# (NuGet) · Dart (Pub) · Go (Go modules, go mod) · Java (Gradle, Maven) · Javascript/Typescript (npm, Yarn, Yarn 2, Yarn 3, pnpm) · Kotlin (Gradle, Maven) · PHP (Composer) · Python (pip, pip-tool, Pipenv, Poetry) · Ruby (RubyGems) · Rust (Cargo) · Scala (Maven) · Swift (SwiftPM)

For more information, see Supported languages.

Getting started 🚀

For new users, we recommend starting with the Semgrep AppSec Platform because it provides a visual interface, a demo project, result triaging and exploration workflows, and makes setup in CI/CD fast. Scans are still local and code isn’t uploaded. Alternatively, you can also start with the CLI and navigate the terminal output to run one-off searches.

Option 1: Getting started from the Semgrep Appsec Platform (Recommended)

Register on semgrep.dev
Explore the demo findings to learn how Semgrep works
Scan your project by navigating to Projects > Scan New Project > Run scan in CI
Select your version control system and follow the onboarding steps to add your project. After this setup, Semgrep will scan your project after every pull request.
[Optional] If you want to run Semgrep locally, follow the steps in the CLI section.

Notes:

If there are any issues, please ask for help in the Semgrep Slack.

Option 2: Getting started from the CLI

Install Semgrep CLI

# For macOS
$ brew install semgrep

# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run -it -v "${PWD}:/src" semgrep/semgrep semgrep login
$ docker run -e SEMGREP_APP_TOKEN=<TOKEN> --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci

Run semgrep login to create your account and login to Semgrep.

Logging into Semgrep gets you access to:

Semgrep Supply Chain: A dependency scanner that detects reachable vulnerabilities in third party libraries
Semgrep Code’s Pro rules: 600+ high confidence rules written by Semgrep’s security research team
Semgrep Code’s Pro engine: An advanced code analysis engine, designed to detect complex vulnerabilities, and reduce false positives

Go to your app’s root directory and run semgrep ci. This will scan your project to check for vulnerabilities in your source code and its dependencies.
Try writing your own query interactively with -e. For example, a check for Python == where the left and right hand sides are the same (potentially a bug): $ semgrep -e '$X == $X' --lang=py path/to/src

Semgrep Ecosystem

The Semgrep ecosystem includes the following:

Semgrep Community Edition - The open-source program analysis engine at the heart of everything. Suitable for ad-hoc use cases with a high tolerance for false positives - think consultants, security auditors, or pentesters.
Semgrep AppSec Platform - Easily orchestrate and scale SAST, SCA, and Secrets scanning across an organization, with no risk of overwhelming developers. Customize which findings developers see, where they see them, and integrate with CI providers like GitHub, GitLab, CircleCI, and more. Includes both free and paid tiers.
- Semgrep Code (SAST) - Make real progress on your vulnerability backlog with SAST that minimizes noise and empowers developers to quickly fix issues on their own, even if they have no security knowledge. Easy to deploy secure guardrails and tailored, step-by-step remediation guidance mean developers actually fix issues since they don’t feel slowed down.
- Semgrep Supply Chain (SSC) - A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions.
- Semgrep Secrets (Secrets scanning) - Secrets detection that uses semantic analysis, improved entropy analysis, and validation to accurately surface sensitive credentials in the developer workflow.
- Semgrep Assistant (AI) - Assistant is an AI-powered AppSec engineer that helps both developers and AppSec teams prioritize, triage, and remediate Semgrep findings at scale. Humans agree with Assistant auto-triage decisions 97% of the time, and rate generated remediation guidance as helpful 80% of the time. For an overview of how Assistant works, read this overview.

Additional resources:

Semgrep Playground - An online interactive tool for writing and sharing rules.
Semgrep Registry - 2,000+ community-driven rules covering security, correctness, and dependency vulnerabilities.

Join hundreds of thousands of other developers and security engineers already using Semgrep at companies like GitLab, Dropbox, Slack, Figma, Shopify, HashiCorp, Snowflake, and Trail of Bits.

Semgrep is developed and commercially supported by Semgrep, Inc., a software security company.

Semgrep Rules

Semgrep rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here’s a quick rule for finding Python print() statements.

Run it online in Semgrep’s Playground by clicking here.

Examples

Visit Docs > Rule examples for use cases and ideas.

Use case	Semgrep rule
Ban dangerous APIs	Prevent use of exec
Search routes and authentication	Extract Spring routes
Enforce the use secure defaults	Securely set Flask cookies
Tainted data flowing into sinks	ExpressJS dataflow into sandbox.run
Enforce project best-practices	Use assertEqual for == checks, Always check subprocess calls
Codify project-specific knowledge	Verify transactions before making them
Audit security hotspots	Finding XSS in Apache Airflow, Hardcoded credentials
Audit configuration files	Find S3 ARN uses
Migrate from deprecated APIs	DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs
Apply automatic fixes	Use listenAndServeTLS

Extensions

Visit Docs > Extensions to learn about using Semgrep in your editor or pre-commit. When integrated into CI and configured to scan pull requests, Semgrep will only report issues introduced by that pull request; this lets you start using Semgrep without fixing or ignoring pre-existing issues!

Documentation

Browse the full Semgrep documentation on the website. If you’re new to Semgrep, check out Docs > Getting started or the interactive tutorial.

Metrics

Using remote configuration from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.

When using configs from local files (like --config=xyz.yml), metrics are sent only when the user is logged in.

To disable Registry rule metrics, use --metrics=off.

The Semgrep privacy policy describes the principles that guide data-collection decisions and the breakdown of the data that are and are not collected when the metrics are enabled.

Upgrading

To upgrade, run the command below associated with how you installed Semgrep:

# Using Homebrew
$ brew upgrade semgrep

# Using pip
$ python3 -m pip install --upgrade semgrep

# Using Docker
$ docker pull semgrep/semgrep:latest

Vulnerability Detection on Producthunt daily

trivy

aquasecurity/trivy

Quick Start

Get Trivy

Canary builds

General usage

FAQ

How to pronounce the name “Trivy”?

Want more? Check out Aqua

Community

strix

usestrix/strix

Strix

Open-source AI Hackers to secure your Apps

🦉 Strix Overview

🎯 Use Cases

🚀 Quick Start

🏆 Enterprise Platform

✨ Features

🛠️ Agentic Security Tools

🎯 Comprehensive Vulnerability Detection

🕸️ Graph of Agents

💻 Usage Examples

Default Usage

🤖 Headless Mode

🔄 CI/CD (GitHub Actions)

⚙️ Configuration

🤝 Contributing

Code Contributions

Prompt Modules Collection

👥 Join Our Community

🌟 Support the Project

semgrep

semgrep/semgrep

Code scanning at ludicrous speed.

Language support

Getting started 🚀

Option 1: Getting started from the Semgrep Appsec Platform (Recommended)

Notes:

Option 2: Getting started from the CLI

Semgrep Ecosystem

Semgrep Rules

Examples

Extensions

Documentation

Metrics

More

Upgrading