github.com/aquasecurity/trivy

Integrating Trivy as a library rather than CLI tool works well for building custom security pipelines. The scanner API is straightforward with good flexibility for configuring scan targets (images, filesystems, repositories). Database management is mostly transparent—it handles downloads and updates automatically, though you'll want to control cache locations in production to avoid repeated downloads across instances.

Memory usage can spike significantly during large image scans (500MB+ easily), so size your containers accordingly. The library doesn't expose granular timeout controls per scan phase, which becomes problematic when scanning images with many layers or large dependency trees. Error handling is decent but some transient network failures during DB updates result in cryptic errors that require parsing log output to diagnose. Resource cleanup is generally good if you use the scanner objects correctly, though file descriptor leaks can occur if you don't properly close scanners after errors.

Logging hooks through standard loggers work fine, but verbosity levels are coarse—you get either minimal output or a firehose. The breaking API changes between minor versions (0.4x to 0.5x especially) required non-trivial refactoring. Under load with concurrent scans, database locking can become a bottleneck without careful cache strategy planning.

Trivy excels as a CLI tool but embedding it as a Go library in your applications requires navigating a complex API surface. The package structure is heavily optimized for the CLI experience, which means you'll spend time studying internal packages and piecing together the right combination of scanners, runners, and result parsers. Documentation focuses almost entirely on CLI usage, leaving library consumers to read source code.

Type definitions are present but the API ergonomics feel like an afterthought. You'll encounter deeply nested configuration structs with unclear required vs optional fields, and error messages often reference internal state rather than actionable fixes. IDE autocompletion works but doesn't help much when you need to understand which of the many scanner types to instantiate or how to properly initialize the vulnerability database.

That said, when you get it working, the scanning capabilities are comprehensive and reliable. The challenge is the initial integration and ongoing maintenance as the API evolves between versions with limited migration guidance.

Integrating Trivy as a Go library is surprisingly complex compared to using its CLI. The documentation heavily focuses on command-line usage, leaving you to dig through example code and GitHub issues to understand the programmatic API. Once you grasp the scanner initialization patterns and understand how to configure different scan targets (images, filesystems, SBOMs), it becomes manageable, but expect a few days of trial and error.

The error messages are generally helpful when misconfiguring scan options, though database initialization errors can be cryptic. The library's real strength is its comprehensive vulnerability detection across multiple ecosystems. Day-to-day usage involves managing database updates, handling scan results, and parsing the JSON output structures which are well-documented once you find them.

Community support is excellent on GitHub issues - maintainers are responsive and helpful. However, Stack Overflow has limited Go-specific integration questions, so you'll rely heavily on reading the source code and existing integrations like trivy-operator for real-world patterns.