Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Tecnología

Trivy and Grype a Year Later: Which Matured Better

12 min read 62 reads
Trivy and Grype a Year Later: Which Matured Better
Table of contents
  1. Key takeaways
  2. Common ground
  3. Trivy: the scanner that became a Swiss Army knife
  4. Grype: precision and first-class SBOM
  5. CI pipeline integration
  6. When to choose each one
  7. Conclusion

Actualizado: 2026-05-03

Trivy and Grype have been installed as the two reference open-source container scanners for a couple of years now. Trivy comes from Aqua Security; Grype, from Anchore. On paper they do the same thing — read Docker image layers, enumerate packages, and cross-check against CVE databases — but in practice they have evolved toward different philosophies. After a solid year integrating both into real CI pipelines, with images ranging from a bare node:20 to Python bases with a hundred transitive dependencies, I have a clear picture of where each one wins.

Key takeaways

  • Trivy has evolved from image scanner to Swiss Army knife: it also covers filesystems, Git repos, Kubernetes manifests, Helm charts, and IaC templates.
  • Grype stands out for its lower false-positive rate and its Syft-generated SBOM, reusable in audits independent of the scan run.
  • Trivy Operator generates VulnerabilityReports as Kubernetes Custom Resources, queryable with kubectl and exportable to Prometheus.
  • Both are Apache 2.0 and support offline mode for air-gapped environments.
  • For mixed pipelines (image + IaC + cluster), Trivy covers everything with one binary; for image-only with maximum rigour, Grype + Syft is the most solid combination.

Common ground

What they share is easy to summarise: they scan container images, generate SBOMs in SPDX and CycloneDX formats, integrate with GitHub Actions and GitLab CI, return useful exit codes to break builds, both are Apache 2.0, and both support offline mode. If the requirement is simply to have a CVE scanner in the pipeline before publishing an image, both do it well. The interesting discussion starts when the scope grows.

Trivy: the scanner that became a Swiss Army knife

Trivy started as an image scanner, but Aqua kept extending its target until it covered filesystems, Git repositories, Kubernetes manifests, Helm charts, Terraform modules, and CloudFormation templates. The typical invocation comes down to four verbs — image, fs, config, repo — and all accept the same severity, output format, and exit-code policy flags. This uniformity is what you appreciate most when integrating it into a pipeline: one binary covers from “scan this image” to “review the Dockerfile and the manifests that deploy it”.

bash
# Image
trivy image --severity HIGH,CRITICAL myapp:latest

# Kubernetes manifests
trivy config ./k8s/

# Full repository (image + IaC)
trivy repo https://github.com/myorg/myapp

The Trivy Operator for Kubernetes is the other strong differentiator. Installed via Helm, it watches the cluster and generates four Custom Resource types:

  • VulnerabilityReport: per pod, with CVEs from images in use.
  • ConfigAuditReport: CIS Benchmark checks on live manifests.
  • RbacAssessmentReport: RBAC issues.
  • ExposedSecretReport: credentials embedded in images.

Everything becomes a native Kubernetes resource, queryable with kubectl get and exportable to Prometheus. For teams already in the K8s ecosystem — especially those following improvements like Kubernetes 1.30 — that tips the scale.

Grype: precision and first-class SBOM

Grype takes the opposite direction: total focus on the image and package scanning task with maximum possible precision. No ambition to be a Swiss Army knife. The key differentiator is in two areas.

False positives: in my tests with complex Python images, Grype consistently showed fewer alerts than Trivy for the same package set. The difference comes from how each tool interprets fix availability information and affected versions in CVE databases — NVD, GitHub Advisory Database, distribution-specific DBs. Trivy is not inaccurate; Grype is just more conservative before reporting.

Syft + Grype as a separate pipeline: Anchore publishes Syft as an independent SBOM generator, and Grype can consume that SBOM as input. The advantage is that you can generate the SBOM once (at build time, sign it with cosign) and scan the resulting SBOM at different points in the pipeline without re-reading the image:

bash
# Generate and sign SBOM
syft myapp:latest -o spdx-json > sbom.spdx.json
cosign attest --predicate sbom.spdx.json --type spdxjson myapp:latest

# Scan the SBOM
grype sbom:sbom.spdx.json --fail-on high

This pattern is particularly relevant for supply chain security: the signed SBOM travels with the image and any tool in the ecosystem can verify it and re-scan it.

ITU Workshop on Zero Trust and Software Supply Chain Security, the context in which signed SBOMs generated by Syft and Grype become key pieces of the trust chain

CI pipeline integration

Both tools integrate well with GitHub Actions and GitLab CI. The practical difference is start-up time: Trivy downloads its vulnerability database on first run (~200 MB), while Grype also has its own DB. In pipelines without DB caching, this adds 30-60 seconds to the first run. With caching, the difference disappears.

For build-breaking policy, both return a non-zero exit code when they find vulnerabilities above the configured threshold. The difference is in granularity: Trivy allows OPA/Rego policies for complex cases, while Grype is more direct with simple flags.

yaml
# GitHub Actions with Trivy
- name: Scan image
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: myapp:latest
    severity: HIGH,CRITICAL
    exit-code: 1
    ignore-unfixed: true

For teams managing continuous security with eBPF profiling in production, Trivy Operator adds the post-deploy visibility layer that CI alone does not cover.

When to choose each one

Use Trivy if:

  • You need to cover images, IaC, K8s manifests, and Git repos with one binary.
  • You operate Kubernetes and want CVE reports as queryable Custom Resources in the cluster.
  • Your team already uses the Aqua ecosystem or wants an all-in-one solution.

Use Grype + Syft if:

  • The focus is image/package scanning with the lowest possible false-positive rate.
  • You need signed, portable SBOMs as part of the artefact signing process.
  • You prefer tools with well-defined scope and no future licence surprises.

In many mature teams, the answer is both: Trivy in the CI pipeline for broad coverage, Grype + Syft in the image signing and publishing process for SBOM precision.

Conclusion

Trivy and Grype do not really compete in the same space as they appear to. Trivy is the best option when the requirement is “a scanner that covers the entire stack uniformly and integrates with Kubernetes as a first-class citizen”. Grype is the best option when the requirement is “the most precise SBOM possible, signed and reusable across the entire distribution chain”. The real decision is not which is better in the abstract, but which combines better with your team’s build and audit workflows.

Was this useful?
[Total: 13 · Average: 4.2]
Post Views: 62

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 36K Reads Rating

Related posts

Industria 4.0

Collaborative robotics on the factory floor: 2026 balance sheet

Los cobots llevan casi quince años prometiendo la fábrica donde humanos y robots comparten espacio sin vallas. En 2026, con un mercado camino de los once mil millones y el 70% de los pedidos llegando desde fuera del automóvil, conviene revisar qué ha cumplido y qué sigue pendiente.

82 12 min 4.4