You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Comparison: Docker Container Scanner vs Other Scanners
Unbiased comparison of this project against free and paid container image scanners. Sources: public docs, GitHub, and comparison articles (2024–2025). Use this to see where we stand and what to enhance.
Yes (parallel baseline tool, go run ./cmd/baseline)
No (manual diff)
No
Custom base image (Enterprise)
Yes (image comparison)
Yes
SBOM
Yes (CycloneDX via --sbom)
Yes
Yes (Syft)
Yes
Yes
Yes
Web UI
Yes ✓ (go run ./cmd/server → browser scan with live SSE results)
No (CLI only)
No
Yes (dashboard)
Yes (Docker Hub)
Yes
Base image recommendation
In remediation text
No dedicated
No
Yes (incl. custom)
Yes (recommendations)
Yes
Risk scoring beyond severity
Yes (CISA KEV + OSV.dev + runc advisories)
CVSS
EPSS + KEV + composite
Yes
Health score (A–F)
Yes (reachability, etc.)
Multi-scanner (IaC, secrets, licenses)
No
Yes
Vuln only
Container + deps
Vuln + policy
Yes
Where we stand (unbiased)
Strengths
Remediation-first design — We add explicit remediation text ("Upgrade X from Y to Z") and CVE links to every finding in SARIF/Markdown/HTML. Trivy and Grype expose fixed version in JSON but don't bundle a "remediation report" in the same way; we do.
Multi-format report from one run — SARIF (for Azure/GitHub Security tab) plus Markdown and HTML in one CLI invocation. Many setups use Trivy for SARIF and something else for human-readable; we unify that.
CI-agnostic — Same CLI and Docker image works in GitHub Actions, GitLab CI, Azure DevOps, Jenkins, CircleCI, AWS CodeBuild, Google Cloud Build, Bitbucket Pipelines, and Tekton; annotated templates and docs for all nine. Not tied to any vendor.
Offline from day one — --offline and --cache-dir are first-class; good for air-gapped or locked-down CI.
Baseline shipped — go run ./cmd/baseline scans 100+ images in parallel with a summary CSV/Markdown and HTML dashboard. Differentiator vs plain Trivy/Grype; aligns with commercial tools.
Web UI shipped — go run ./cmd/server starts an HTTP server; paste or drop an image in the browser and get live scan results via SSE. Trivy and Grype are CLI-only. Aligns with Snyk/Docker Scout/Aqua.
No fail-on policy yet — Done.--fail-on-severity and --fail-on-count; exit 1 when policy violated. Matches Trivy/Grype/Snyk/Scout.
No config / ignore file — Done (config).scanner.yaml or .scanner.yaml (or --config) for default severity, format, output-dir, cache-dir, fail-on. Ignore/suppression (VEX, .grype.yaml equivalent) is still planned.
No Dockerfile scan yet — Done.--dockerfile runs Trivy config and merges misconfigurations with image findings.
No SBOM — Done.--sbom generates CycloneDX JSON for compliance and supply-chain tooling.
No risk scoring beyond severity — Done. CISA KEV, OSV.dev enrichment, and runc host advisory.
No Web UI — Done.go run ./cmd/server → browser, SSE streaming, findings table, export.
Single engine — We wrap Trivy only. Grype + Syft, or Trivy + Grype in one product, could improve coverage; that's a larger design choice.
No commercial support — Unlike Snyk, Docker Scout, Aqua, Anchore we're not a product with SLAs/support; we're an open project. That's a positioning choice, not a bug.
Neutral / context
We're an orchestrator, not a CVE DB — We rely on Trivy (and could add Grype). That's intentional: we focus on remediation, reports, CI, baseline, and Web UI rather than maintaining our own vulnerability database.
Market — Trivy and Snyk have significant adoption; Docker Scout is bundled with Docker. We're a niche: "Trivy + remediation + multi-format report + multi-CI + baseline + Web UI."
Enhancement recommendations (from comparison)
Done ✓
Fail-on policy — Done.--fail-on-severity and --fail-on-count; exit 1 when policy violated.
Bottom line: We're well placed as a "Trivy + remediation + multi-format + multi-CI + baseline + Web UI" orchestrator. The remaining gaps are ignore/suppression file (VEX/allowlist), formalized base image recommendations, and optional second scan engine.