ScanRook

Benchmarks

Scan accuracy and speed compared to Trivy and Grype. ScanRook combines 6 vulnerability data sources for the deepest coverage available in a CLI scanner.

Scanner Metrics

Key numbers for the current release.

20+
Ecosystems Supported
npm, PyPI, Maven, Go, Cargo, NuGet, RubyGems, Pub, CocoaPods, Hex, and more
6
Data Sources
OSV, NVD, Red Hat CSAF, Ubuntu CVE Tracker, Debian Security Tracker, EPSS + CISA KEV
15+
Archive Formats
Container tar, ISO, ZIP, APK, AAB, JAR, WAR, EAR, wheel, NuGet, IPA, DMG, SBOM
5 signals
Enrichment per CVE
Severity, CVSS vector, EPSS probability, KEV status, fix availability
2
Confidence Tiers
ConfirmedInstalled (from package DB) vs HeuristicUnverified (from filename/binary)
8 threads
NVD Concurrency
Parallel NVD enrichment with API key (400ms throttle per thread)

Container Scan Comparison

ScanRook v1.14.2 vs Trivy 0.69.1 vs Grype 0.109.0 — warm cache, macOS.

ImageSizeScanRookTrivyGrype
TimeFindingsTimeFindingsTimeFindings
alpine:3.207.7 MB0.4s3010.1s161.0s20
debian:12116 MB5.4s11100.1s1231.1s117
ubuntu:24.0477 MB3.4s13650.1s101.0s47
rockylinux:9173 MB5.0s7790.2s1872.3s640
nginx:1.27188 MB8.5s29520.2s3141.6s315
postgres:17439 MB8.5s29830.3s2242.5s222
redis:7-alpine40 MB0.7s2990.1s1051.3s114
golang:1.23822 MB24.9s181520.9s30384.8s1466
node:221.1 GB48.0s307261.1s23847.5s1533
python:3.121.1 GB51.1s315900.7s16735.9s1269

All runs on macOS with warm caches. Images pulled via docker save. Finding counts reflect unique CVEs after deduplication.

Native Archive Scanning (ScanRook Only)

ScanRook v1.14.2 — formats not supported by Trivy or Grype.

FileSizeFormatComponentsFindingsScan Time
Firefox.dmg142 MBDMG (HFS+)9270304s

DMG scan uses hdiutil extraction on macOS or dmgwiz+hfsutils on Linux. Findings are HeuristicUnverified from binary keyword matching in Firefox app bundles. Trivy and Grype do not support DMG scanning. Scan time includes full binary analysis of all extracted Mach-O and dylib files.

Findings Comparison

ScanRook finds more vulnerabilities than both Trivy and Grype on every image.

alpine:3.20
ScanRook
301
Trivy
16
Grype
20
debian:12
ScanRook
1110
Trivy
123
Grype
117
ubuntu:24.04
ScanRook
1365
Trivy
10
Grype
47
rockylinux:9
ScanRook
779
Trivy
187
Grype
640
nginx:1.27
ScanRook
2952
Trivy
314
Grype
315
postgres:17
ScanRook
2983
Trivy
224
Grype
222
redis:7-alpine
ScanRook
299
Trivy
105
Grype
114
golang:1.23
ScanRook
18152
Trivy
3038
Grype
1466
node:22
ScanRook
30726
Trivy
2384
Grype
1533
python:3.12
ScanRook
31590
Trivy
1673
Grype
1269

Scan Speed (warm cache)

Warm-cache scan times on macOS. Lower is better.

alpine:3.20
ScanRook
0.4s
Trivy
0.1s
Grype
1s
debian:12
ScanRook
5.4s
Trivy
0.1s
Grype
1.1s
ubuntu:24.04
ScanRook
3.4s
Trivy
0.1s
Grype
1s
rockylinux:9
ScanRook
5s
Trivy
0.2s
Grype
2.3s
nginx:1.27
ScanRook
8.5s
Trivy
0.2s
Grype
1.6s
postgres:17
ScanRook
8.5s
Trivy
0.3s
Grype
2.5s
redis:7-alpine
ScanRook
0.7s
Trivy
0.1s
Grype
1.3s
golang:1.23
ScanRook
24.9s
Trivy
0.9s
Grype
4.8s
node:22
ScanRook
48s
Trivy
1.1s
Grype
7.5s
python:3.12
ScanRook
51.1s
Trivy
0.7s
Grype
5.9s

Why is Alpine so fast? Alpine 3.20 has only 14 packages. With warm caches, ScanRook completes the entire scan in under 0.5s — just file I/O and hash lookups. Larger images like Ubuntu (92 packages) and Debian (88 packages) take longer due to more OSV queries and distro tracker enrichment passes.

v1.14.2 improvement: ScanRook now resolves all packages against the local vulnerability database (scanrook db fetch) in a single unbatched pass before making any API calls. This eliminates artificial batching overhead for locally-cached data.

Trivy is faster on absolute time because it uses a pre-downloaded local vulnerability database (~400MB). ScanRook queries live APIs on first scan, then caches aggressively. With scanrook db fetch, ScanRook also uses a pre-downloaded SQLite database for offline scanning.

Why ScanRook Finds More

Correct ecosystem mapping + multi-source enrichment = higher accuracy.

ScanRook combines multiple advisory sources and verifies against the installed package database to produce high-confidence findings:

  • Installed-state verification — ScanRook reads package databases (dpkg, RPM, APK) directly instead of relying on file path heuristics. Only packages confirmed as installed are reported with ConfirmedInstalled confidence.
  • Triple-source RHEL coverage — For Rocky Linux, AlmaLinux, and other RHEL-based images, ScanRook combines three sources: OSV batch queries, RHEL OVAL patch evaluation, and the Red Hat Security Data API for unfixed CVEs (will-not-fix, fix-deferred, affected). This produces 2.5x more findings than Trivy on Rocky Linux 9.
  • Fixed advisory filtering — Vulnerabilities that have already been patched in the installed version are excluded. Other scanners may report advisories for the package name regardless of installed version.
  • Unfixed CVE visibility — ScanRook surfaces CVEs that Red Hat has marked as "Will not fix", "Fix deferred", or "Affected" — with strict RHEL-version-specific validation to avoid false positives from historical advisories.

For example, ubuntu:24.04 shows 1,365 ScanRook findings vs 10 Trivy / 47 Grype. ScanRook finds 136x more CVEs than Trivy by combining OSV batch queries, NVD CPE enrichment, Ubuntu CVE Tracker, and EPSS scoring. On debian:12, ScanRook finds 1,110 vulnerabilities vs 123 Trivy / 117 Grype — 9x more coverage through multi-source enrichment and Debian Security Tracker integration.

Enrichment Depth

What ScanRook adds that others don't.

FeatureScanRookTrivyGrype
OSV advisory lookup
NVD CVSS enrichment
EPSS exploit probability
CISA KEV flagging
Confidence tiers
Red Hat CSAF/OVAL
Fixed-version tracking
Installed-state verification
Application package detection
SBOM import (CycloneDX/SPDX)
ZIP archive scanning
DMG disk image scanning

Methodology

How these benchmarks were produced.

  • All tools run on the same machine with warm caches (second run after initial cache population).
  • Container images saved via docker save to local tar files.
  • ScanRook uses default settings (light mode, all enrichment sources active).
  • Trivy uses trivy image --input with default settings.
  • Grype uses grype [file] -o json with default settings.
  • Finding counts are unique CVE IDs after deduplication.
  • Raw benchmark data (JSON reports + CSV) is available in the scanner repository.

To reproduce these benchmarks yourself:

scanrook benchmark --file ./image.tar --profile warm

Transparency

No fudged numbers. Here's exactly how we test.

  • Same environment — All three scanners (ScanRook, Trivy, Grype) run on the same machine, same OS, same images saved to the same directory. No scanner-specific hardware or network advantages.
  • No image-specific hardcoding — ScanRook does not contain any image-specific logic or benchmark-specific cache warming. The same scanning pipeline runs for all images.
  • Standard caching only — ScanRook uses its standard SHA256-keyed file cache at ~/.scanrook/cache/. No benchmark-specific pre-loading or cache seeding.
  • Database differences — Trivy downloads a pre-compiled BoltDB vulnerability database (~400MB) rebuilt every 6 hours. Grype uses a pre-compiled SQLite database (~65MB) rebuilt daily. ScanRook can download a pre-compiled SQLite database via scanrook db fetch for offline scanning, or query live APIs (OSV, NVD, Red Hat) on cold scans and cache responses locally for warm scans.
  • Cold vs warm scans — Published "warm cache" times represent the second scan of the same image, where API responses are served from local cache. Cold-scan times are significantly longer for ScanRook because every vulnerability query hits a live API. We are transparent about this tradeoff.
  • Open source benchmark code — The run_benchmark() function in src/main.rs is open source and can be audited. Raw JSON outputs from all three tools are available for independent verification.

More Comparisons

Detailed head-to-head pages.

ScanRook vs TrivyScanRook vs GrypeScanRook vs SnykFull Benchmark Blog Post