ScanRook Blog
Educational articles on vulnerability scanning, CVE databases, exploit prediction, and container security.
ScanRook Benchmark Results: Real Scan Data Against Trivy and Grype
Transparent benchmark results comparing ScanRook, Trivy, and Grype on five container images with analysis of finding differences.
LaunchWhy We Built ScanRook
Why we chose a local-first scanner architecture with optional cloud enrichment.
Technical deep-diveWhat Is an SBOM? How ScanRook Uses SBOMs for Faster, More Accurate Triage
A practical guide to SBOMs, why they matter for security programs, and how ScanRook uses them in real workflows.
What Is the OSV API? Ecosystems, Advisories, and How It Works
A practical guide to the Open Source Vulnerabilities database, the advisory format it uses, and how scanners query it for vulnerability data.
Understanding the NVD and CVSS v3.1 Scoring
How the National Vulnerability Database works, what CPE matching means, and how CVSS v3.1 base scores are calculated.
EPSS Scores Explained: Exploit Prediction for Vulnerability Prioritization
What EPSS is, how percentile scores work, and why exploit probability is a better prioritization signal than severity alone.
CISA KEV Guide: Why Actively Exploited CVEs Demand Immediate Action
What the CISA Known Exploited Vulnerabilities catalog is, who it applies to, and how to use it in your remediation workflow.
Installed-State Scanning vs. Advisory Matching: Reducing False Positives
Why reading actual package manager databases produces more accurate findings than matching file paths against advisory lists.
Container Scanning Best Practices for Security Teams
Practical guidance on scanning container images effectively, from base image selection to CI/CD integration and finding prioritization.
What Is YARA and Why Security Teams Use It
A guide to YARA, the pattern-matching engine used by security teams for malware detection, and how ScanRook integrates it for deep container scanning.
Vulnerability Scanning for Compliance: What You Need to Know
Penalties for non-compliance, scanning frequency requirements by framework, and how to build a compliant vulnerability scanning program.
What We Learned from Black Duck (And How We Made License Scanning Better)
How Black Duck pioneered license scanning with snippet matching and proprietary databases, what has changed since 2005, and how modern tools deliver the same results at a fraction of the cost.
The Complete Guide to Open Source License Compliance in 2026
A comprehensive guide to open source license compliance covering legal risks, common mistakes, building a compliance program, tooling comparisons, and SBOM integration.
On-Prem vs SaaS Vulnerability Scanning: Which Is Right for You?
Data sovereignty, air-gapped environments, cost comparison, and when on-prem scanning is required versus when SaaS makes sense.
How Red Hat Backports Security Patches: A Complete Guide to RHEL Vulnerability Management
Understand how Red Hat backports security fixes, why package versions don't tell the full story, and how OVAL/CSAF data enables accurate RHEL vulnerability scanning.