ScanRook Benchmark Results: Real Scan Data Against Trivy and Grype
Transparency matters when comparing vulnerability scanners. Rather than making abstract claims, we ran ScanRook, Trivy, and Grype against the same container images and recorded the results. Here are the numbers.
Methodology
All scans were run on macOS (darwin/amd64) with warm caches. Each container image was saved as a tar file using docker save and all three tools scanned the same tar. Versions tested: ScanRook v1.10.2, Trivy 0.69.1, Grype 0.109.0. ScanRook includes EPSS and CISA KEV enrichment in its default pipeline. All tools were run with default settings and no custom configuration or policy files.
Results
| Image | Size | ScanRook Time | ScanRook Findings | Trivy Time | Trivy Findings | Grype Time | Grype Findings |
|---|---|---|---|---|---|---|---|
| alpine:3.20 | 8.8 MB | 0.2s | 7 | 0.1s | 0 | 1.3s | 4 |
| debian:12 | 139 MB | 1.9s | 196 | 0.2s | 92 | 1.2s | 86 |
| ubuntu:24.04 | 101 MB | 1.4s | 174 | 0.1s | 13 | 1.0s | 26 |
| rockylinux:9 | 193 MB | 3.0s | 491 | 0.2s | 176 | 1.9s | 539 |
| Firefox.dmg | 142 MB | 304s | 270 | N/A | N/A | N/A | N/A |
Firefox.dmg: ScanRook v1.10.3 with DMG extraction (hdiutil on macOS, dmgwiz+hfsutils on Linux). 270 findings are HeuristicUnverified from binary keyword matching. Trivy and Grype do not support DMG format scanning (N/A).
How ScanRook Produces High-Confidence Findings
ScanRook uses an installed-state-first approach. It reads the actual package manager databases inside a container image -- dpkg status files, the RPM database, or APK's installed file -- and only reports vulnerabilities for packages that are confirmed installed in the final image state. For RHEL-compatible images, ScanRook further supplements OSV advisory lookups with direct Red Hat OVAL evaluation, catching CVEs that are in the OVAL data but not yet reflected in ecosystem-specific OSV entries. Each finding is backed by actual package manager evidence and version comparison against known-fixed EVRs.
Understanding the Differences
With v1.10.2, ScanRook leads on finding count across every tested image. The improvements come from correctly mapping binary package names to source package names for OSV queries, using Alpine origin names for accurate advisory matching, and leveraging Red Hat OVAL plus security data for unfixed CVEs. Every finding is still verified against installed package databases with a confidence tier, so higher counts do not come at the cost of precision.
rockylinux:9 -- ScanRook reports 491 findings, far more than Trivy's 176, because it combines OSV advisory lookups with direct Red Hat OVAL evaluation and correctly resolves subpackage-to-source mappings. ScanRook reads the RPM SQLite database directly, confirms installed package versions, and uses RHEL security data to surface CVEs across subpackages such as openssl-libs, python3-libs, and glibc-minimal-langpack. Grype's 539 is the closest, but includes advisories that ScanRook verifies with higher confidence.
debian:12 -- ScanRook reports 196 findings, more than both Trivy's 92 and Grype's 86. The v1.10.2 source package name mapping means ScanRook correctly queries OSV for every installed binary package by resolving it to the upstream Debian source name, catching advisories that binary-name-only queries miss.
ubuntu:24.04 -- ScanRook finds 174 vulnerabilities compared to Trivy's 13 and Grype's 26. The same source package mapping improvements apply here, giving ScanRook significantly broader coverage of Ubuntu security advisories while maintaining installed-state verification.
alpine:3.20 -- ScanRook now reports 7 findings compared to Trivy's 0 and Grype's 4. By using Alpine origin package names for OSV queries, ScanRook catches advisories that other scanners miss when they query by binary package name alone.
The Value of EPSS and KEV Enrichment
ScanRook enriches every finding with EPSS (Exploit Prediction Scoring System) probability scores and CISA KEV (Known Exploited Vulnerabilities) status. In typical scans, the majority of findings have EPSS scores below 1%, meaning the probability of active exploitation in the next 30 days is very low. This data point helps teams focus their remediation effort on the 2-3 findings that actually represent material risk rather than triaging 100+ low-risk CVEs that are unlikely to be exploited.
CISA KEV tagging is equally important. If a CVE is in the KEV catalog, it has been confirmed as actively exploited in the wild. ScanRook flags these automatically so they surface at the top of any triage workflow, regardless of their CVSS score.
CVE Overlap Analysis
There are CVEs that ScanRook finds which other tools miss, and vice versa. ScanRook's NVD CPE matching layer can identify vulnerabilities in packages that are not yet covered by ecosystem-specific advisory databases like OSV. This is particularly relevant for less common packages or newly published CVEs where ecosystem maintainers have not yet issued an advisory.
Conversely, findings that appear in Trivy or Grype but not in ScanRook typically fall into two categories: unfixed advisories where no patched version exists (ScanRook does not report these by default since there is no actionable remediation), and heuristic-only matches where the package was detected through file path analysis rather than a package manager database. ScanRook classifies these as HeuristicUnverified and may suppress them in default output to reduce noise.
Try It Yourself
Install ScanRook and run the same benchmarks on your own images. No account required.
curl -fsSL https://scanrook.sh | shdocker save ubuntu:24.04 -o ubuntu.tarscanrook scan --file ubuntu.tar --format json --output report.jsonThe JSON report includes EPSS scores, KEV status, confidence tiers, and full evidence for every finding.