Trivy does not detect or scan manually downloaded/installed binaries
I have an GitLab Ultimate customer asking the following:
We have some teams using Grype for container scans as it scans the binaries too. Trivy does not scan binaries. Once Grype is no longer supported, what does Gitlab suggest we do for binary scans within containers?
If a binary is installed via the package manager then Trivy will scan it. However if a binary is manually downloaded/installed Trivy does not detect and scan it (we have seen examples for Node). Grype detects these binaries no matter how they are installed. In addition, for GO, the version of Trivy currently used by Gitlab (0.50.0) misses some vulnerabilities and could use an upgrade to latest (currently 0.51.1)