Vulnerability Scanner Benchmark 2026: ScanRook vs Trivy vs Grype vs Snyk

Why Benchmarks Matter

The vulnerability scanning market is crowded. Teams evaluating tools face a fundamental problem: every vendor claims to be the most accurate, the fastest, or the most comprehensive. Without standardized benchmarks, these claims are impossible to verify.

Finding count is the most visible metric but also the most misleading. A scanner might report 10 findings because it only checks one data source. Another might report 3,000 because it queries multiple databases, resolves package name aliases, and cross-references with vendor-specific security data. The second scanner is not noisier; it is more thorough.

What matters is whether each reported finding corresponds to a real vulnerability in a package that is actually installed in the scanned artifact. This is why we emphasize installed-state verification: reading the actual package manager database inside the container image rather than guessing based on file paths or layer metadata.

Speed also matters, but context determines how much. In a CI/CD pipeline running on every commit, a 10-second scan versus a 0.1-second scan is meaningful. In a nightly security audit of production images, even a 60-second scan is perfectly acceptable if it catches vulnerabilities that faster tools miss.

Test Methodology

We designed this benchmark to be reproducible by anyone with access to Docker and the tested tools. Here is the exact methodology:

• Machine: macOS (darwin/amd64), Apple M2 Pro, 32 GB RAM, NVMe SSD. All tools ran natively (no containers wrapping containers).
• Image preparation: Each image was pulled with docker pull and saved as a tar file with docker save image:tag -o image.tar. All tools scanned the identical tar file.
• Warm caches: Each tool was run once before timing to populate local caches and download vulnerability databases. Timed results represent warm-cache performance.
• Default settings: No custom policies, no severity filters, no ignored CVEs. Every tool ran with its default configuration.
• Versions tested: ScanRook v1.14.2, Trivy 0.69.1, Grype 0.109.0. Snyk CLI 1.1292.0 (where applicable).
• Timing: Wall clock time measured with the time command, averaged over 3 runs.

Results

The following table shows finding counts and scan times for each tool across five popular container base images. Finding count represents unique CVE identifiers reported by each tool.

All scans warm-cache. ScanRook v1.14.2, Trivy 0.69.1, Grype 0.109.0. Finding count = unique CVE IDs.

Why ScanRook Finds More Vulnerabilities

The finding count difference is not random. It stems from architectural decisions in how each scanner discovers and verifies vulnerabilities.

Multi-Source Enrichment

Most scanners query a single vulnerability database. Trivy uses its own aggregated database (updated from various feeds). Grype uses its own database compiled from similar sources. Both are good databases, but they represent a single point-in-time snapshot that may miss advisories from sources they do not yet integrate.

ScanRook queries multiple sources in parallel for every package it identifies:

• OSV (Open Source Vulnerabilities): The broadest ecosystem-specific advisory database, covering Debian, Ubuntu, Alpine, PyPI, npm, Go, and dozens more.
• NVD (National Vulnerability Database): CPE-based matching that catches vulnerabilities not yet in ecosystem-specific feeds, particularly for less common packages.
• Red Hat OVAL:Direct evaluation of Red Hat's OVAL definitions for RHEL-compatible images (Rocky Linux, Alma Linux, CentOS Stream). This catches CVEs that are in Red Hat's security data but not yet reflected in OSV.
• EPSS and CISA KEV: Every finding is enriched with exploit probability scores and known-exploitation status for immediate prioritization.

Installed-State Verification

ScanRook reads the actual package manager databases inside container images: dpkg status files, RPM SQLite databases, APK installed files. This means it knows exactly which packages are installed, their precise versions, and their source package mappings. Other scanners sometimes rely on layer analysis or file path heuristics that can miss packages or misidentify versions.

Source Package Resolution

In Debian and Ubuntu, a single source package (like openssl) produces multiple binary packages (libssl3, openssl, libssl-dev). Security advisories are published against source package names. ScanRook correctly resolves every binary package to its source package name before querying advisory databases, catching vulnerabilities that binary-name-only queries miss.

Speed Analysis

Trivy is the fastest scanner in these benchmarks, typically completing in 0.1-0.3 seconds. This is because Trivy downloads its vulnerability database ahead of time (via trivy image --download-db-only) and performs all matching locally against that snapshot. No network calls happen during the scan itself.

Grype follows a similar approach with its own pre-downloaded database, typically finishing in 1-2.5 seconds. The additional time compared to Trivy comes from differences in database format and matching algorithms.

ScanRook in its default mode queries live APIs (OSV, NVD) for maximum freshness, which adds network latency. Scan times of 3-9 seconds reflect this network overhead. However, ScanRook offers a local vulnerability database mode (vulndb) that pre-downloads and indexes vulnerability data into PostgreSQL, eliminating network calls during scanning and bringing performance closer to Trivy's level while retaining multi-source coverage.

For CI/CD pipelines where every second counts, the vulndb mode is recommended. For security audits where you want the freshest possible data, the default live-query mode ensures you are scanning against advisory databases updated minutes ago rather than hours ago.

Accuracy vs Speed: The Real Tradeoff

Every vulnerability scanner makes a tradeoff between speed and thoroughness. A scanner that checks one database can be very fast. A scanner that cross-references five databases, resolves package name aliases, and verifies against installed state will be slower but more comprehensive.

The question is not “which scanner is fastest” but “what are you missing by being fast?” On ubuntu:24.04, Trivy reports 10 findings. ScanRook reports 1,365. Those additional 1,355 findings represent real CVEs in packages that are actually installed in the image. If your scanner misses them, your production workload has over a thousand untracked vulnerabilities.

For many teams, the right approach is a layered strategy: use a fast scanner in CI/CD to catch regressions quickly, then run a thorough scanner like ScanRook on a schedule (nightly or weekly) to ensure comprehensive coverage. ScanRook's scheduled scanning feature supports exactly this workflow.

How to Run These Benchmarks Yourself

We encourage you to reproduce these results. Transparency is a core value of ScanRook. Here is the exact process:

ScanRook's benchmark subcommand automates this process, running multiple iterations and producing a summary comparison table. You can also use the interactive benchmarks page on our documentation site to compare results visually.

What About Snyk?

Snyk Container is a commercial scanner that requires an account and API key. In our testing, Snyk produces results comparable to Trivy and Grype in terms of finding count, as it relies on a similar curated database approach. Snyk's differentiator is its developer experience (IDE integrations, PR checks) rather than raw scanning depth.

We did not include Snyk in the main results table because its license restricts benchmark publication. However, teams evaluating Snyk should expect finding counts in the same range as Trivy and Grype for the images tested here.

Conclusion

No single scanner is perfect for every use case. Trivy excels at speed. Grype offers a solid open-source alternative with good ecosystem coverage. Snyk provides excellent developer tooling.

ScanRook excels at finding depth. By querying multiple vulnerability databases, performing installed-state verification, and resolving package name aliases correctly, it surfaces vulnerabilities that other tools miss entirely. For teams where comprehensive security coverage matters more than raw scan speed, ScanRook provides the most thorough analysis available.

Try running the benchmarks yourself. The numbers speak for themselves.

Start a free scan or view the full interactive benchmark dashboard.