Migrate from Trivy to cnspec
A practical guide for migrating from Aqua Trivy to cnspec, covering container scanning, IaC, Kubernetes, CI/CD, and custom policies.
This guide is for DevOps engineers, platform engineers, and security practitioners who currently use Trivy and want to migrate to cnspec. It maps common Trivy workflows to their cnspec equivalents and highlights where cnspec goes beyond vulnerability scanning.
Feature comparison at a glance
| Capability | Trivy | cnspec |
|---|---|---|
| Container image scanning | trivy image | cnspec scan container |
| Dockerfile analysis | trivy config Dockerfile | cnspec scan docker file |
| Filesystem scanning | trivy fs | cnspec scan fs |
| Git repository scanning | trivy repo | cnspec scan fs (cloned repo) |
| Terraform scanning | trivy config | cnspec scan terraform |
| CloudFormation scanning | trivy config | cnspec scan cloudformation |
| Kubernetes cluster scanning | trivy k8s | cnspec scan k8s |
| Kubernetes manifest scanning | trivy config | cnspec scan k8s <manifest> |
| SBOM generation | trivy sbom | cnspec sbom |
| Custom policies | Rego (OPA) | MQL (Mondoo Query Language) |
| CI/CD integration | GitHub Action, GitLab template | GitHub Action, GitLab, Jenkins, Azure Pipelines |
| Cloud posture management | Limited | AWS, Azure, GCP, OCI |
| SaaS security | Not supported | GitHub, GitLab, Google Workspace, Slack, MS 365 |
| Continuous monitoring | Not supported | Mondoo Platform |
Installation and setup
Install cnspec
Trivy is typically installed through a package manager or Docker image. cnspec offers similar options:
# macOS
brew install mondoohq/mondoo/cnspec
# Linux (Debian/Ubuntu)
curl -sSL https://install.mondoo.com/sh | bash
# Docker
docker run -it mondoo/cnspec scan <target>For detailed installation options, see Installation overview.
Authenticate with Mondoo Platform (optional)
While Trivy works as a standalone scanner, cnspec can optionally connect to Mondoo Platform for centralized reporting, policy management, and continuous monitoring:
cnspec login --token <your-token> --config-path /etc/opt/mondoo/mondoo.ymlcnspec works fully without Mondoo Platform registration. Use --incognito to run scans without
sending results to the platform.
CLI structure comparison
Both tools follow a similar CLI pattern:
| Trivy | cnspec |
|---|---|
trivy <target> [options] | cnspec scan <target> [options] |
trivy image | cnspec scan container |
trivy config | cnspec scan terraform, cnspec scan cloudformation, cnspec scan k8s |
trivy k8s | cnspec scan k8s |
trivy sbom | cnspec sbom |
A key difference: Trivy uses trivy config as a catch-all for misconfiguration scanning across IaC tools, while cnspec uses explicit subcommands for each target type.
Container image scanning
Basic image scan
# Trivy
trivy image alpine:3.20
# cnspec
cnspec scan container alpine:3.20Registry scanning
cnspec supports the same container registries as Trivy, including ECR, ACR, GCR, Docker Hub, and Harbor:
# Trivy
trivy image 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
# cnspec
cnspec scan container registry 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latestcnspec uses the container runtime's configured credentials, so if you can docker pull an image, cnspec can scan it.
Dockerfile scanning
# Trivy
trivy config Dockerfile
# cnspec
cnspec scan docker file DockerfileRunning container scanning
Unlike Trivy, cnspec can also scan running containers:
cnspec scan docker CONTAINER_IDFilesystem and repository scanning
Filesystem scanning
# Trivy
trivy fs .
# cnspec
cnspec scan fs .Repository scanning
Trivy has a dedicated trivy repo command for scanning remote Git repositories. With cnspec, clone the repository first and scan it as a filesystem:
# Trivy
trivy repo https://github.com/example/repo
# cnspec
git clone https://github.com/example/repo
cnspec scan fs repoInfrastructure as Code scanning
Trivy uses trivy config for all IaC scanning. cnspec provides dedicated subcommands for each IaC tool, giving you more precise control.
Terraform
# Trivy
trivy config --tf ./terraform/
# cnspec — scan HCL files
cnspec scan terraform ./terraform/
# cnspec — scan a Terraform plan
terraform plan -out=plan.out
terraform show -json plan.out > plan.json
cnspec scan terraform plan plan.json
# cnspec — scan Terraform state
cnspec scan terraform statecnspec's separate commands for HCL, plan, and state scanning let you check security at every stage of the Terraform workflow.
CloudFormation
# Trivy
trivy config ./cloudformation/
# cnspec
cnspec scan cloudformation template.jsonKubernetes manifests
# Trivy
trivy config -n k8s deployment.yaml
# cnspec
cnspec scan k8s deployment.yamlKubernetes cluster scanning
Basic cluster scan
# Trivy
trivy k8s --report=summary
# cnspec
cnspec scan k8sBoth tools use your current kubeconfig context.
Targeted resource scanning
# Trivy
trivy k8s --include-namespaces default --report=summary
# cnspec — discover specific resource types
cnspec scan k8s --discover pods,deploymentsContinuous cluster scanning
Trivy can run as an operator inside a cluster, but its primary mode is on-demand scanning. cnspec offers the Mondoo Kubernetes Operator for continuous security monitoring of your clusters, with results reported to Mondoo Platform.
SBOM generation
# Trivy
trivy sbom alpine:3.20
# cnspec
cnspec sbom alpine:3.20Both tools generate software bills of materials. cnspec supports CycloneDX and SPDX output formats.
CI/CD integration
GitHub Actions
# Trivy
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'my-app:${{ github.sha }}'
# cnspec
- name: Run cnspec
uses: mondoohq/actions/scan@main
with:
service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
scan-type: docker-image
target: 'my-app:${{ github.sha }}'GitLab CI
# Trivy
trivy_scan:
image: aquasec/trivy:latest
script:
- trivy image my-app:latest
# cnspec
cnspec_scan:
image: mondoo/cnspec:latest
script:
- cnspec scan container my-app:latest --incognitoOutput formats for CI
| Trivy format | cnspec equivalent | Flag |
|---|---|---|
--format table | compact (default) | (default) |
--format json | JSON | -o json |
--format sarif | No direct equivalent | — |
--format junit | JUnit XML | -o junit |
--format template | YAML, CSV | -o yaml, -o csv |
# Trivy
trivy image --format json -o results.json my-app:latest
# cnspec
cnspec scan container my-app:latest -o json > results.jsonPolicies and custom rules
Policy approach comparison
Trivy uses Rego (Open Policy Agent) for custom policies. cnspec uses MQL (Mondoo Query Language), which is purpose-built for infrastructure security queries.
Example: Ensure containers don't run as root
Trivy (Rego):
package custom
deny[msg] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := sprintf("Container %s must set runAsNonRoot", [container.name])
}cnspec (MQL):
k8s.deployments.all(
containers.all(
securityContext['runAsNonRoot'] == true
)
)Policy management
Trivy bundles its checks and supports custom Rego policies via the --policy flag. cnspec provides:
- Policy registry: A library of ready-to-use policies in the Mondoo Policy Hub
- Custom policies: Write your own policies using MQL and apply them with
--policy-bundle:
cnspec scan k8s --policy-bundle my-policy.mql.yaml- Centralized management: Manage and assign policies across your infrastructure through Mondoo Platform
To learn more, see Writing custom policies.
Output formats and reporting
Format comparison
# Trivy — default table output
trivy image alpine:3.20
# cnspec — default compact output
cnspec scan container alpine:3.20
# Trivy — JSON output
trivy image --format json alpine:3.20
# cnspec — JSON output
cnspec scan container alpine:3.20 -o json
# cnspec — full detail output
cnspec scan container alpine:3.20 -o full
# cnspec — JUnit for CI
cnspec scan container alpine:3.20 -o junitWhen connected to Mondoo Platform, scan results are also available in the web console with dashboards, trends, and fleet-wide views.
Command reference cheat sheet
| Task | Trivy | cnspec |
|---|---|---|
| Scan container image | trivy image alpine:3.20 | cnspec scan container alpine:3.20 |
| Scan image from registry | trivy image registry.example.com/app | cnspec scan container registry registry.example.com/app |
| Scan Dockerfile | trivy config Dockerfile | cnspec scan docker file Dockerfile |
| Scan running container | Not supported | cnspec scan docker CONTAINER_ID |
| Scan filesystem | trivy fs . | cnspec scan fs . |
| Scan Git repo | trivy repo <url> | git clone <url> && cnspec scan fs <dir> |
| Scan Terraform HCL | trivy config --tf . | cnspec scan terraform . |
| Scan Terraform plan | trivy config plan.json | cnspec scan terraform plan plan.json |
| Scan CloudFormation | trivy config template.json | cnspec scan cloudformation template.json |
| Scan K8s cluster | trivy k8s --report=summary | cnspec scan k8s |
| Scan K8s manifest | trivy config -n k8s deploy.yaml | cnspec scan k8s deploy.yaml |
| Generate SBOM | trivy sbom alpine:3.20 | cnspec sbom alpine:3.20 |
| JSON output | trivy image --format json img | cnspec scan container img -o json |
| Use custom policy | trivy config --policy dir/ | cnspec scan --policy-bundle policy.mql.yaml |
| Scan AWS account | Not supported | cnspec scan aws |
| Scan Azure subscription | Not supported | cnspec scan azure |
| Scan GCP project | Not supported | cnspec scan gcp |
| Scan SSH target | Not supported | cnspec scan ssh user@host |
| Scan GitHub org | Not supported | cnspec scan github org <name> |
What's next: Beyond vulnerability scanning
If you're migrating from Trivy, you're already familiar with vulnerability and misconfiguration scanning. cnspec extends your security coverage to areas Trivy doesn't reach:
- Cloud security posture: Scan AWS, Azure, GCP, and OCI accounts for misconfigurations and compliance violations.
- SaaS security: Assess the security configuration of GitHub, GitLab, Google Workspace, Slack, and Microsoft 365.
- Operating system security: Scan Linux and Windows hosts over SSH or WinRM.
- Network devices: Assess network device security configurations.
- Compliance frameworks: Map your security posture to CIS Benchmarks, SOC 2, PCI DSS, HIPAA, and other frameworks.
- Continuous monitoring: Use Mondoo Platform to continuously monitor your entire infrastructure from a single dashboard.
For the full list of supported scan targets, see Supported scan targets.