Trivy
Trivy Trivy is the versatile open-source scanner that detects CVEs in container images, filesystems, and IaC with a lightweight Go binary and daily-updated vuln DB for rapid deployment checks. Run its CLI on Docker layers or Kubernetes YAML for JSON outputs with fix suggestions, integrating seamlessly into CI/CD without agent overhead. From Aqua Security, it's the quick-quip quester for devs templating container security into pipelines.
Explore →Grype
Grype Grype is Anchore's precise vuln matcher that scans SBOMs and images for CVEs with low false positives, prioritizing by exploitability for focused remediation in container workflows. Launch its CLI on OCI images for SARIF reports, chaining with Syft for SBOM gen in automated scans. Open-source and SBOM-savvy, it's the package pointer for analysts pinpointing threats in layered artifacts.
Explore →Clair
Clair Clair is the layer-focused scanner that indexes container manifests against CVE feeds, querying for affected components with REST APIs for registry-embedded checks. Deploy its Go service via Docker, push images for analysis, and poll JSON for drift alerts in registries. Open-source from Quay, it's the index inspector for container curators templating vuln baselines.
Explore →Dagda
Dagda Dagda is the multi-tool analyzer that scans images for CVEs, malware, and secrets with Docker daemon integration for runtime monitoring in dev environments. Run its Python CLI on local images for layered reports, extending with custom rules for hybrid threats. Open-source from awslabs, it's the daemon detective for pentesters blending static and dynamic container hunts.
Explore →Vuls
Vuls Vuls is the agentless scanner for container host OS vulns, querying CPEs and remote feeds for package mismatches with diff reports for change tracking. Configure via TOML for multi-host scans, outputting GOB for alerts. Open-source from future-architect, it's the OS oracle for container ops templating host-level CVE baselines.
Explore →Anchore Engine
Anchore Engine Anchore Engine is the policy-driven scanner that analyzes images for CVEs, licenses, and misconfigs with custom YAML rules for tailored compliance in pipelines. Deploy via Docker, process images with CLI for JSON policies, and integrate with Jenkins for gates. Open-source from anchore, it's the policy profiler for container compliance crafters.
Explore →Clair v4
Clair v4 Clair v4 upgrades Clair with indexers for OCI manifests, matching CVEs via vulnerability DB with query APIs for embedded registry scans. Run its Go container with config YAML, indexing layers for real-time queries. Open-source from Quay, it's the manifest matcher for modern container scanners templating vuln feeds.
Explore →Vulners Container Scanner
Vulners Container Scanner Vulners Container Scanner queries its API for image CVEs, pulling Exploit-DB links for package-specific threats in lightweight Docker audits. Integrate via Python wrapper on images for scored outputs. Open-source from vulnersCom, it's the exploit explorer for container curators templating POC-enriched scans.
Explore →Snyk Container Test
Snyk Container Test Snyk Container Test scans images for CVEs with fix versions and exploit intel, integrating CLI for local runs or GitHub Actions for CI gates. Auth with API keys, test layers for prioritized risks in reports. Open-source CLI from snyk, it's the fix finder for devs templating container hardening.
Explore →Grype with Syft