Open source · MIT license

Self-hosted
Trivy dashboard

Aggregate Trivy scan results from your CI/CD pipelines into one real-time dashboard. Docker, Docker Compose, or Kubernetes — your infrastructure, your data.

Get started
View on GitHub

Features

Everything in one place

  • Real-time

    CVEs ranked by severity,
    fix versions inline

    Stop hunting through JSON. Critical CVEs bubble to the top, patched versions shown next to each finding. Triage in seconds, not hours.

    CRITICAL
    HIGH
    MEDIUM

  • Integrations

    One curl.
    Any CI system.

    GitHub Actions, GitLab CI, Jenkins, CircleCI — one command.

    $ curl -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -F "file=@report.json" \
    /api/v1/report

  • Analytics

    Trend charts

    Weekly CVE evolution across all projects and environments.

  • Multi-project

    Environments

    Production, staging, per-branch — organized and role-gated.

  • Scan history

    Full timeline

    Diff vs previous scan. Branch and commit context every run.

  • API Keys

    Per-project keys

    Create, copy, revoke. One key per project, never shared.

Security-first

Your data never
leaves your network

TrivyHub is self-hosted by design. No telemetry, no SaaS callbacks, no surprises. MIT licensed.

  • Zero-trust

    API keys scoped per project

    JWT-authenticated endpoints. Keys can be revoked individually. No shared secrets between projects.

  • CVE traceability

    Every vuln linked to NVD + CVSS

    Direct link to the CVE entry, CVSS score, affected versions, and the upstream patch. Full audit trail.

  • Air-gapped

    Runs fully offline

    SQLite or PostgreSQL — your choice. Works inside a VPN, a private cluster, or a full air-gap. No internet required.

  • Severity ranking

    Critical first, noise filtered

    CRITICAL and HIGH CVEs always on top. Fix versions shown inline. Diff vs previous scan on every push.

Install

Up and running
in under five minutes

Docker
docker run -d \
  --name trivyhub \
  -p 3000:3000 \
  -e JWT_SECRET=$(openssl rand -hex 32) \
  -v trivyhub-data:/app/data \
  ghcr.io/trivyhub/trivy-dashboard-web:latest

SQLite, zero config. Data persisted in a Docker volume.

Push scan results from CI

.github/workflows/scan.yml
- name: Trivy scan
  run: trivy image --format json --output report.json $IMAGE

- name: Push to TrivyHub
  run: |
    curl -X POST \
      -H "Authorization: Bearer ${{ secrets.TRIVYHUB_TOKEN }}" \
      -F "project=${{ github.repository }}" \
      -F "file=@report.json" \
      -F "environment=production" \
      -F "branch=${{ github.ref_name }}" \
      -F "commit=${{ github.sha }}" \
      https://trivyhub.your-company.com/api/v1/report
How it works

Four steps
from zero to dashboard

101

Deploy TrivyHub

Run it with Docker, Docker Compose, or Helm. Choose SQLite for simplicity or PostgreSQL for production.

202

Create an API key

In the dashboard: Settings → API Keys → New key. One key per project or environment.

303

Add to your pipeline

One curl command in your CI job. Trivy scans the image and sends the JSON report to TrivyHub.

404

Monitor & triage

Your team sees CVEs ranked by severity, with fix versions, evolution charts, and full scan history.

Ship secure,
every time.

Open source and self-hosted. Your scans never leave your infrastructure.

Deploy nowStar on GitHub