KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// scanner: trivy

Trivy pricing 2026: free Apache 2.0, CI/CD minutes are the only cost

De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What does Trivy cost in 2026?

Free (Apache 2.0). CI/CD scan minutes are the marginal cost.. De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.

Pricing snapshot

  • Trivy CLI / Trivy OperatorFree, Apache 2.0
  • Aqua Trivy Premium (managed)Quote-only via Aqua Security
  • Aqua CSPM / Aqua EnterpriseQuote-only platform tiers

What scales, what does not

  • Scans container images, filesystems, IaC (Terraform, K8s manifests, Dockerfiles, Helm), SBOMs (SPDX, CycloneDX), and Git repos.
  • CI/CD compute is the real budget line. At 10k pipeline runs per month with ~30s scans, that's modest GitHub Actions minutes.
  • Aqua-hosted commercial tier adds dashboards, compliance packs, and Kubernetes admission control.

Where it hits the ceiling

Trivy is genuinely production-grade in CI/CD. Admission-control story is weaker than Wiz or Snyk Container at scale.

// price-bandFREE// verified 2026-06-26
// faq

FAQ

  • Is Trivy pricing public?
    Yes. Trivy publishes list pricing on its product page (cited above).
  • Is there a free tier of Trivy?
    It is fully free (open-source).
  • Does Trivy cover web application scanning?
    Limited; for serious web DAST coverage pair with Burp Enterprise, Invicti, or Acunetix.
  • Does Trivy produce PCI ASV evidence?
    Indirectly; pair with an ASV-attested tool for the formal quarterly ASV scan.
  • How often does Trivy update its vulnerability content?
    Daily for commercial scanners (Tenable plugins, Qualys signatures, Rapid7 recog). Open-source OpenVAS NVT feed is daily but lags commercial coverage by hours to days.
Related: Pricing cheatsheet How we verify Directory