Trivy

Trivy is the Swiss Army knife of security scanning — containers, filesystems, git repos, IaC configs, Kubernetes manifests, and SBOMs, all from one CLI command. Add it to your CI pipeline in two lines and catch vulnerabilities, misconfigurations, and leaked secrets before they ship.

Every indie hacker pushing Docker images should run Trivy. It's free, adds 10-30 seconds to your pipeline, and catches real problems. Snyk is the polished commercial alternative with better remediation guidance. Grype is simpler but only scans vulnerabilities (no IaC, no secrets). Docker Scout is built into Docker Desktop but limited.

The catch: Trivy's vulnerability database isn't perfect — run it alongside Grype for better coverage, since they use different data sources. False positives happen, especially with OS-level packages in base images. And while Trivy scans broadly, it doesn't prioritize — you'll need to triage the results yourself. It finds problems; it doesn't fix them.