Compare Trivy and Grype
This issue is to compare Trivy and Grype as potential default pipeline container scanning engines for GitLab.
Note: This is a point-in-time analysis as of June 14, 2021
Popularity and Probability of Long-term Support
| GitHub Metric | Trivy | Grype |
|---|---|---|
| Number of stars | 7,500 | 567 |
| Number of contributors | 110 | 12 |
| Sourcerank | 14 | 11 |
Effectiveness at Identifying Vulnerabilities
Although both Trivy and Grype do both container scanning and dependency scanning, GitLab already has a proprietary product for dependency scanning, so only the container scanning component is needed. When comparing a basic container scan against an image with known vulnerabilities, both scanners identified the exact same vulnerabilities. Both jobs took an identical amount of time to run and completed in 1 minute 11 seconds.
OS Support
| OS | Trivy | Grype |
|---|---|---|
| Alpine | ||
| RHEL | ||
| CentOS | ||
| Debian | ||
| Ubuntu | ||
| Amazon Linux | ||
| Distroless | ||
| Oracle Linux | ||
| BusyBox | ||
| openSUSE Leap | ||
| Photon OS | ||
| SUSE Enterprise Linux |
OS Vulnerability Data Sources
GitLab is only using the OS Vulnerability detection capabilities for Container Scanning, as GitLab has another solution in place for language-specific package dependency scanning. Consequently, only the OS vulnerability data sources were compared.
Trivy has 12 OS data sources and Grype has 8.
Trivy Data Sources
Grype Data Sources
| Namespace | OS | Source | URL |
|---|---|---|---|
| alpine:* | Alpine Linux | Alpine Security Database | https://secdb.alpinelinux.org/ |
| amzn:2 | Amazon Linux 2 | Amazon Linux Security Center | https://alas.aws.amazon.com/alas2.html |
| debian:* | Debian GNU/Linux | Security Bug Tracker | https://security-tracker.debian.org/tracker/ |
| nvd | - | National Vulnerability Database | https://nvd.nist.gov/ |
| debian:* | Debian GNU/Linux | OVAL | https://www.debian.org/security/oval/ |
| rhel:* | RHEL/CentOS | Security Data | https://www.redhat.com/security/data/metrics/ |
| ubuntu:* | Ubuntu | Ubuntu CVE Tracker | https://ubuntu.com/security/cve |
| ol:* | Oracle Linux | OVAL | https://linux.oracle.com/security/oval/ |
Vulnerability Details
| Feature | Trivy | Grype |
|---|---|---|
| Severity Scoring Model | CVSSv3.x | CVSSv3.x |
| Vulnerability Description | ||
| Vulnerability Links | ||
| Proposed Solution |
Support for Scanning in Production
Trivy has the related project Starboard to allow for scanning images in production environments
Grype has the related project Kai to allow for getting a list of images in production environments (the scanning would have to be initialized separately)
| Feature | Starboard | Kai |
|---|---|---|
| Number of stars in GitHub | 696 | 9 |
| Number of contributors | 25 | 2 |
| Scan on an interval | ||
| On-demand scans | unknown | |
| Automatic scan when new pods are created | ||
| Sourcerank | 8 | 4 |
Additional Considerations
Trivy has integrated with a community edition of GitLab's advisory database. In the future, this could allow GitLab to use our proprietary vulnerability data for dependencies as part of the Trivy scanner without needing to run a separate scanning job.