While the rise of container technologies revolutionized the way we build and deploy applications, they also changed our attack surface and introduced challenges around security that we’re still trying to solve. One way to radically reduce your exposure to known vulnerabilities is to use a secure, minimal base image like those provided by Minimus, but you can’t stop there. What about the components you add on top of that base image?
Enter vulnerability scanners, an invaluable aspect of your DevSecOps setup. Vulnerability scanners help you catch the vulnerabilities that creep in once you start layering packages and dependencies on top of your base image. They’re fast, informative, and not so intrusive that they interfere with the way your team works. Even better, our favorite options are open source!
In this post, we’ll take a look at the two most popular open source scanners, Trivy and Grype, and how they fit into your workflow.
The two most popular options for vulnerability scanning are Grype (by Anchore) and Trivy (by Aqua Security). They both achieve the goal of identifying and alerting on known vulnerabilities, but take different approaches for use and integration.
Grype’s approach is laser-focused on providing highly detailed vulnerability information on container images. It will detect and provide severity and remediation information for vulnerabilities in both OS-level and language-specific packages.
Grype is particularly good at providing customizable reporting thresholds and outputs, ensuring that you only get alerted when it’s relevant, and making sure that the output data is in a format easily used by your team’s existing tooling. Because it’s so focused and lightweight, it’s lightning fast in your CI/CD pipelines and provides a level of detail that other options do not.
Trivy looks at security with a bird’s eye view of your entire application workflow. It scans not just images, but also git repositories, a variety of Infrastructure as Code templates, and your Kubernetes YAML.
If you have multiple architectures in your environment, Trivy’s broad approach to vulnerability detection is hard to beat. This versatility is also a huge selling point for organizations just beginning their DevSecOps transformation, and it’s well-known to be straightforward to set up.
Grype and Trivy both have large, mature communities around them and integrate with lots of other tooling. Which one will work best for you depends on your specific goals and existing workflow, but you almost certainly need one or the other.
If your priority is speed and detailed results in CI/CD, Grype is hard to beat. If you want a scanner that covers more than just images, from repositories to Kubernetes manifests, Trivy gives you that breadth.
Whether you’re looking to deepen your understanding of your application vulnerabilities or you’re just beginning your transformation, these open source scanning tools will be a valuable addition for your team.
No matter which scanner you use, whether it's open source or a paid tool, their effectiveness comes from how you run them and the images you start with. Scanner results can be overwhelming. A single scan might result in hundreds of CVEs, and the real work comes in triaging and fixing them.
Starting from a secure baseline makes a big difference. Minimus images ship with near-zero CVEs and give you the information you need to triage and fix any vulnerabilities in anything you build on top of that. Both Trivy and Grype support Minimus images. With a cleaner foundation, scanners become a tool that accelerate development instead of slowing it down.
