Aqua Security Introduces Industry-First Kubernetes Vulnerability Scanning With Trivy KBOM

Aqua Security Introduces Industry-First Kubernetes Vulnerability Scanning With Trivy KBOM

BOSTON — Nov. 6, 2023 — Aqua Security, the pioneer in cloud native security, today announced its open source solution Trivy now supports vulnerability scanning for Kubernetes components in addition to Kubernetes Bill of Materials (KBOM) generation. Now, companies can better understand the components within their Kubernetes environment and how secure they are in order to substantially reduce risk. 

Kubernetes has been widely adopted across enterprises worldwide, but according to Red Hat, more than half of companies are worried about Kubernetes security — in particular, vulnerabilities and misconfigurations. Existing infrastructure scanners scan the infrastructure for misconfigurations only and cannot analyze Kubernetes components for vulnerabilities. With this new innovation in Aqua’s open source solution, Trivy is solving this challenge for the first time.  

Earlier in 2023, Aqua announced that Trivy included KBOM generation. Much like a Software Bill of Materials (SBOM), a KBOM is the manifest of all the important components that make up your Kubernetes cluster: control plane components, node components and add-ons, including their versions and images. Aqua Trivy’s Kubernetes vulnerability scanning is using KBOM to help users understand how their cluster security changes over time, identify security issues and know when to upgrade cluster components. The visibility gained from KBOM generation and component vulnerability scanning is not just important for companies running their own Kubernetes environments. Those using a managed Kubernetes service also need this level of visibility and security to determine if their service providers are using vulnerable components that may put them at risk.  

“Just as SBOM is critical for your application security, KBOM is critical to your infrastructure security,” said Itay Shakury, vice president of open source at Aqua Security. “Now, with the ability to scan the actual Kubernetes infrastructure, in addition to workloads and images, we are working toward the industry’s first complete Kubernetes vulnerability scanner. Aqua established itself as an early innovator in Kubernetes security with successful tools like kube-bench and kube-hunter, and our open source team continues to work diligently to bring new, meaningful capabilities to our users.”

Kubernetes vulnerability scanning is the latest capability added to Trivy, the industry’s most popular vulnerability and risk scanner. With nearly 20,000 GitHub stars, Trivy has a thriving community of users and contributors.

Developers can try Aqua Trivy’s KBOM generation today to scan their cluster resources for vulnerabilities. Aqua always welcomes feedback and to improve the experience. More information can be found in the Trivy KBOM documentation and on the Aqua blog. Developers can also stay up to date with the latest developments via the Aqua Open Source Slack.

Additionally, all KBOM features will be commercially available as part of Aqua’s Kubernetes Security Posture Management solution (KSPM) and as part of the Aqua Platform in late November.   

Aqua will be showcasing Trivy, KBOM and other innovation during KubeCon + CloudNativeCon Nov. 6-9 in Chicago. Stop by booth C14 to learn more about Aqua. 

About Aqua Security 

Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. For more information, visit