ScanRook vs Trivy
Trivy is a widely-used open-source vulnerability scanner by Aqua Security that covers containers, filesystems, git repositories, and Kubernetes clusters.
This comparison is intended to be fair and factual. Both tools serve different use cases and have genuine strengths.
Feature comparison
| Feature | ScanRook | Trivy |
|---|---|---|
| Vulnerability data sources | OSV, NVD, Red Hat OVAL, EPSS, CISA KEV | NVD, GitHub Advisory, Red Hat, Ubuntu, Debian, Alpine, etc. |
| Container image scanning | Tar-based extraction with layer ordering | Image refs, tar files, OCI registries |
| Binary scanning (ELF/PE/Mach-O) | Full support via goblin with linked library extraction | Limited binary analysis |
| ISO image scanning | Native ISO extraction and package detection | Not supported |
| SBOM import (CycloneDX, SPDX, Syft) | CycloneDX, SPDX, Syft JSON with enrichment | CycloneDX, SPDX generation and scanning |
| SBOM diff | Component-level diff between SBOM snapshots | Not built-in |
| Confidence tiers | ConfirmedInstalled vs HeuristicUnverified | No confidence classification |
| Installed-state-first scanning | Reads actual package manager databases (RPM, APK, dpkg) | Uses package manager databases but no confidence tiering |
| Kubernetes scanning | Not supported (focused on artifact scanning) | Cluster scanning, RBAC analysis, secret detection |
| IaC misconfiguration | Not supported | Terraform, CloudFormation, Kubernetes manifests |
| Self-hosted deployment | CLI runs locally, Platform self-hostable (Enterprise) | Fully open-source, self-hosted by default |
| EPSS exploit prediction | Built-in for all findings | Not included by default |
| CISA KEV tagging | Automatic tagging of actively exploited CVEs | Not included by default |
Benchmark results
Warm-cache runs on macOS (darwin/amd64). ScanRook 1.6.1, Trivy 0.69.1. ScanRook includes EPSS and CISA KEV enrichment. Findings count reflects each tool's default detection approach.
| Image | Size | ScanRook | Trivy |
|---|---|---|---|
| alpine:3.20 | 7.7 MB | 0.4s / 301 findings | 0.1s / 16 findings |
| debian:12 | 116 MB | 5.4s / 1110 findings | 0.1s / 123 findings |
| ubuntu:24.04 | 77 MB | 3.4s / 1365 findings | 0.1s / 10 findings |
| rockylinux:9 | 173 MB | 5.0s / 779 findings | 0.2s / 187 findings |
Why ScanRook reports more findings
ScanRook now reports more findings than both Trivy and Grype on every tested image except Rocky Linux (where it is close to Grype). This is because ScanRook v1.6.1 correctly maps binary package names to source package names for OSV queries, uses Alpine origin names, and leverages Red Hat OVAL + security data for unfixed CVEs. Every finding is verified against installed package databases with a confidence tier.
Where ScanRook stands out
Key areas where ScanRook takes a different approach.
Installed-state-first scanning with confidence tiers
ScanRook reads the actual package manager databases inside containers and classifies findings as ConfirmedInstalled or HeuristicUnverified. This reduces noise from packages that appear in layers but are not actually installed in the final image state.
EPSS and CISA KEV enrichment by default
Every ScanRook finding includes EPSS exploit probability scores and CISA Known Exploited Vulnerabilities status. This helps teams prioritize based on real-world exploit likelihood rather than CVSS alone.
SBOM diff for supply chain monitoring
ScanRook includes built-in SBOM diff capabilities for tracking component changes between releases. This is useful for detecting supply chain drift without external tooling.
Where Trivy excels
Areas where Trivy has strengths that ScanRook does not currently match.
- Broader scan scope including Kubernetes clusters, IaC, and secret detection.
- Larger community and ecosystem with extensive plugin support.
- Built-in SBOM generation (ScanRook focuses on import and enrichment).
- Mature CI/CD integrations with most major platforms.
Summary
Trivy is an excellent general-purpose scanner with broad coverage. ScanRook focuses on artifact-level scanning with deeper confidence classification and exploit prediction enrichment. Choose Trivy if you need Kubernetes cluster scanning and IaC analysis. Choose ScanRook if you want installed-state-first findings with confidence tiers and built-in EPSS/KEV prioritization.
Other comparisons
Try ScanRook
Install the CLI in under 30 seconds. No account required.