The Aqua Trivy Premium scanner (or simply "Trivy Premium") is Aqua's next-generation scanning engine. It provides the best and richest scanning results, and gets security data (latest vulnerabilities, advisories, malware, etc.) from sources such as Red Hat OVAL v2. Trivy Premium will incorporate all the features of the current Aqua commercial scanner ("Legacy") and the Aqua Trivy open-source scanner (the current market-leading open-source scanner). Aqua is investing heavily in Trivy Premium and intends to make it the default scanner in the second half of 2022.

When do I get Trivy Premium?

All Aqua Platform SaaS Edition accounts created in or after November 2021 use Trivy Premium as the scanner. (This applies to the Team, Advanced, and Enterprise plans.) If your account was created before then, you have the option of switching to Trivy; see Change the scanner selection below.

Current limitations of Trivy Premium

Trivy Premium supports many scanning-related features of the classic scanner. Exceptions are noted in this section.

Features that work, but are temporarily performed by the classic scanner

Trivy Premium does not currently support the features listed below. If you are using Trivy Premium, these features will work, but will actually be performed seamlessly by the classic scanner:

  • Host scanning
  • Host images scanning

Aqua intends for Trivy Premium to support these features in the first half of 2023.

Features not currently supported 

Trivy Premium does not currently support the features listed below. If you are using Trivy Premium, these features will not work at this time:

  • Custom Compliance Checks for Assurance Policies
  • Scanning of images (with embedded MicroEnforcer) for the registration of container workloads that run from these images
  • Vulnerability Shield (vShield) for CentOS and Red Hat OVAL v2 data (all other data feeds are currently supported)

Aqua intends for Trivy Premium to support these features in the first half of 2023.

Features deprecated

Trivy Premium does not support the feature listed below. If you are using Trivy Premium, this feature will not work, and Aqua does not plan to implement it in Trivy Premium:

  • Aqua SCAP Scanning

Change the scanner selection

To switch from classic scanner to Trivy Premium scanner or vice versa:

  1. Navigate to the Settings > Scanning page.
  2. From the "Scan Engine" dropdown, select either Trivy Premium Scanner or Classic Scanner:

Note: The scan engine selection determines the list of scanning settings that will appear in the UI. Trivy Premium offers most of the scanning features, such as "Scan for malware" and "Search for sensitive data in images and functions". However, as noted above, some features are not supported by Trivy Premium.

Rescanning images:

  • If you switch from classic scanner to Trivy Premium, you should perform a rescan (not a full rescan) of all the images from the Images page. 
  • If you switch from Trivy Premium to classic scanner, you should perform a full rescan of all the images.


If your organization restricts access to external sites through firewall for security compliance, before you start using Trivy, ensure that you allow access to the following URLs:

Once Trivy is enabled in your Aqua environment, Trivy always communicates with Aqua CyberCenter directly (instead of via the Aqua Server).

Effect of changing your Aqua SaaS plan

If you upgrade your Aqua account to the Enterprise plan from the Team or Advanced plan, classic scanner will be activated (irrespective of which scanner was enabled in the previous plan).

Downgrading your Aqua account to a lower plan will not change the scanner selection.

Deprecation plan for the classic scanner

In November 2021, Aqua launched a next generation scanning engine called Trivy premium scanner. It includes the brilliance of open-source innovation and built for Enterprise scale, making it the most powerful scanner in the market.

Aqua has decided to deprecate the classic scanner and instead invest all energy and efforts into the Trivy premium scanner. Following is the detailed deprecation plan of the classic scanner:

  • Deprecation of the classic scanner will go into effect on 31st December 2023
  • New features and enhancements will be added to the Trivy premium scanner only (not to the classic scanner)
  • All new accounts of Aqua SaaS edition with any plan will have the Trivy premium scanner enabled by default