4 open source tools compared. Sorted by stars. Scroll down for our analysis.
| Tool | Stars | Velocity | Score |
|---|---|---|---|
trivy Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more | 36.7k | +82/wk | 83 |
grype A vulnerability scanner for container images and filesystems | 12.5k | - | 69 |
syft CLI tool and library for generating a Software Bill of Materials from container images and filesystems | 9.2k | - | 63 |
cosign Code signing and transparency for containers and binaries | 6.1k | - | 67 |
Stay ahead of the category
New tools and momentum shifts, every Wednesday.
Trivy is the swiss-army scanner for supply chain security: it finds vulnerabilities in your container images, code dependencies, and infrastructure-as-code, generates SBOMs, and hunts for leaked secrets, all from one fast binary. Where Grype and Syft split scanning and SBOM generation into two tools, Trivy does the whole job together. Open source, from Aqua Security, free. It's a single Go binary that runs anywhere: your laptop, CI, or a Kubernetes operator. Point it at an image, a filesystem, a git repo, or a Terraform directory, and it tells you what's vulnerable and what's misconfigured. That breadth is the appeal, one tool instead of five, which is why Trivy became the default scanner baked into a lot of registries and CI pipelines. Trivy is free and open source. Aqua, the company behind it, sells the Aqua Platform: a commercial layer with centralized findings, policy enforcement, runtime protection, and support. Solo and small teams, the CLI does everything you need. Larger orgs that want a managed view and governance across many images and clusters, the platform is the paid step up. The catch: doing everything means it's a mile wide. For any single job, a focused tool can go deeper, a dedicated SBOM generator, a dedicated IaC scanner, a dedicated secret scanner. And like every vulnerability scanner it's noisy, so a first scan of a common base image surfaces a pile of CVEs you'll need to triage. Trivy's value is coverage in one binary, not being the deepest at any one thing.
Grype scans container images and filesystems for known vulnerabilities. Feed it an image or an SBOM from Syft, and it checks everything inside against vulnerability databases and tells you what is exploitable and how bad. Open source, free, and quick enough to run on every build. It's a single Go binary with no setup beyond the first database pull. Run it in CI to fail a build when a critical CVE shows up, or against a running image to audit what you've deployed. It reads Syft's SBOM output directly, so the two together give you inventory plus vulnerabilities in one pipeline. Grype and Syft are free. Anchore Enterprise is the paid platform on top, with centralized policy, historical tracking, and support for teams that need to prove compliance. Solo and small teams, the CLI in CI covers it. Larger orgs, the enterprise layer is about governance and audit trails, not better scanning. The catch: vulnerability scanners are noisy. A fresh scan of a common base image can surface dozens of CVEs, many unfixable or irrelevant to how you use the software. The work isn't running Grype, it's triaging what it finds without drowning in low-priority noise.
Syft generates a software bill of materials, an SBOM, from your container images and filesystems. That is a full inventory of every package and dependency inside, which is what you need before you can answer are we affected by this new CVE. It's open source, free, and fast. It's a single Go binary. Point it at an image, a directory, or an archive and it outputs the SBOM in whatever format you need: SPDX, CycloneDX, or its own. It pairs directly with Grype, its sibling scanner, which reads the SBOM and checks it for vulnerabilities. No infrastructure, and it drops straight into CI. Syft and Grype are free and open source. Anchore, the company behind them, sells Anchore Enterprise: a platform with policy enforcement, a findings database, reporting, and support. Solo and small teams, the CLIs are all you need. Larger orgs with compliance requirements and many images, the enterprise platform adds the governance layer. The catch: an SBOM is only as good as what the tooling can identify. Packages installed in unusual ways, vendored code, or custom builds can slip through. It catches the standard dependency graph well, so don't assume it sees literally everything in the image.
Cosign signs and verifies container images and other artifacts, so you can prove that what you're deploying is what your pipeline actually built. It's part of Sigstore, a Linux Foundation project, and it makes signing painless with keyless signing tied to your CI's identity. Free and open source. The killer feature is keyless: instead of managing signing keys, Cosign uses short-lived certificates tied to an OIDC identity, your GitHub Actions workflow for example, and logs signatures to a public transparency log. You run the binary in CI to sign on build and verify on deploy. Setup is minimal once your CI identity is wired in. This is fully free with no paid tier. It's become the default for software supply chain signing, and it's what admission controllers like Kyverno and Gatekeeper check against to enforce that only signed images run. Any team shipping containers should be signing them, and this is how. The catch: signing is the easy half. The value only lands when something verifies the signatures and blocks unsigned artifacts, and that means wiring verification into your deploy path or cluster admission. A signature nobody checks is just metadata.