// scanner: trivy
Trivy pricing 2026: free Apache 2.0, CI/CD minutes are the only cost
De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.
author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer
What does Trivy cost in 2026?
Free (Apache 2.0). CI/CD scan minutes are the marginal cost.. De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.
Pricing snapshot
- Trivy CLI / Trivy OperatorFree, Apache 2.0
- Aqua Trivy Premium (managed)Quote-only via Aqua Security
- Aqua CSPM / Aqua EnterpriseQuote-only platform tiers
What scales, what does not
- Scans container images, filesystems, IaC (Terraform, K8s manifests, Dockerfiles, Helm), SBOMs (SPDX, CycloneDX), and Git repos.
- CI/CD compute is the real budget line. At 10k pipeline runs per month with ~30s scans, that's modest GitHub Actions minutes.
- Aqua-hosted commercial tier adds dashboards, compliance packs, and Kubernetes admission control.
Where it hits the ceiling
Trivy is genuinely production-grade in CI/CD. Admission-control story is weaker than Wiz or Snyk Container at scale.
// faq
FAQ
- Is Trivy pricing public?Yes. Trivy publishes list pricing on its product page (cited above).
- Is there a free tier of Trivy?It is fully free (open-source).
- Does Trivy cover web application scanning?Limited; for serious web DAST coverage pair with Burp Enterprise, Invicti, or Acunetix.
- Does Trivy produce PCI ASV evidence?Indirectly; pair with an ASV-attested tool for the formal quarterly ASV scan.
- How often does Trivy update its vulnerability content?Daily for commercial scanners (Tenable plugins, Qualys signatures, Rapid7 recog). Open-source OpenVAS NVT feed is daily but lags commercial coverage by hours to days.