Top OSS Container Image Scanning Tools

Container image scanning is a little like using a Computed Tomography (CT) scan to diagnose medical issues. Just as a CT scan reveals information about internal conditions inside a human body that might not be obvious from the surface, container image scanning tools can detect security risks, such as known vulnerabilities, malicious code, or insecure configurations that may not be noticeable based on the activity of a running container.

January 5, 2025

That said, unlike CT scans, container image scanning isn’t something you should only do when you suspect something is wrong. It’s a practice that should be a routine part of your Secure Software Development Lifecycle (SSDLC), helping to ensure that you detect security risks in containers prior to deploying containerized applications into production.

A variety of container image scanning tools are available to help automate the process of checking container images for vulnerabilities and other risks. To help software development and security teams decide which scanning solution is best for their needs, this article compares and contrasts seven container image scanning options, highlighting where each excels and why you may or may not want to use it.

What is container image scanning, and why do you need it?

Container image scanning is the practice of analyzing container images for security vulnerabilities and risks.

To understand fully what that means, let’s talk briefly about container images. A container image is a file that a container runtime can execute to run a container. Put another way, a container image is akin to the blueprints that tell a containerized application how to run.

This means that any malware, vulnerable software, or insecure configurations that exist inside a container image will lead to security risks when containers execute based on the image. For that reason, it’s important to scan container images so that you can detect risks prior to launching containers. Doing so not only helps to protect against breaches, but also plays a role in ensuring compliance with regulations like GDPR and HIPAA, which require organizations to undertake reasonable measures to protect against cybersecurity risks.

Container image scanning is all the more important given that it’s a common practice to leverage a wide range of components when creating containers, any of which could be insecure. Typically, developers who want to create a container image to run a specific application start with a base image – which includes the basic code necessary to create an environment to host the application they are building – that they source from a third party. They then add other libraries, binaries, and/or configuration settings to the base image to set up the application they wish to run.

Given the multiple places of origin of these various components, container image scanning is critical for ensuring that none of them introduce security risks into images before they are deployed into a production environment.

Factors to consider when choosing a container image scanning tool

While all container scanning tools are capable of analyzing container images, they may vary in areas like the following:

  • Supported types of risks: Container images can include multiple types of security risks – such as software vulnerabilities resulting from code that an organization developed itself, insecure open source components sourced from third parties, and configuration oversights that expose containers to attack. Not all scanners can detect all types of risks.
  • Accuracy and reliability: Some scanners may experience high rates of false positives or false negatives, making it challenging to count on them to deliver accurate scanning results.
  • Performance and scanning speed: The time it takes for container scanners to complete scans can vary, especially when working with large image files or performing scans on multiple files.
  • Reporting capabilities: Scanning tools vary widely with regard to how they format and present results. Some may offer capabilities like support for generating SBOMs (in formats like SPDX or CycloneDX) based on scans, while others provide less flexibility.
  • Automation capabilities: Some scanners only support one-off, manual analysis of container images, while others provide easy-to-use scanning automation capabilities. and can integrate into CI/CD workflows.
  • User interface: Different scanning tools offer different modes of user interaction. Some offer built-in graphical interface options or the ability to integrate with other systems that include graphical UIs, while other tools are CLI-only.
  • Development activity: Some container scanners – especially those that are open source – don’t receive much development activity. This means developers are not regularly updating the code or adding new features, which may make the tools less effective.

Top 7 open source container image scanning tools

Here’s a look at eight popular open source container image scanning tools and how they compare.

#1. Aqua Trivy

Aqua Trivy, an open source container scanning software developed by Aqua Security, can scan container images for a wide variety of vulnerabilities and risks.

Key features:

  • Flexible scanning: Trivy supports scanning of not only container images, but also virtual machine images, Git repositories, Kubernetes environments, and more, making it valuable as a comprehensive scanning tool for teams whose workloads include, but are not limited to, containers.
  • High-fidelity scans: Drawing on a wide range of sources of vulnerability data, including Aqua’s own vulnerability database, Aqua Trivy produces highly accurate, reliable image scan results.
  • Flexible reporting: Aqua Trivy can generate scan results in multiple formats, including popular SBOM formats, and it can integrate with open source tools like Grafana to visualize report data.
  • Fully automated scans: In addition to supporting manual scanning via the CLI, Aqua Trivy can be configured for fully automated scanning, making it easy to integrate the tool into your CI/CD pipeline.

Pros: A very flexible image scanner that addresses a wide range of risks and delivers highly accurate results.

Cons: Doesn’t support unusual types of binaries.

#2. Clair

Clair is an open source container image scanner originally developed by CoreOS, which was acquired by Red Hat.

Key features:

  • Focus on container images: Clair was one of the first open source scanners designed specifically for container images.
  • Integrations: Clair integrates easily into a wide range of environments (although it works most easily with software based on Red Hat’s platforms).

Pros: Easy to deploy and performs fast scans.

Cons: As of 2025, Clair is a somewhat dated tool. The open source community surrounding it is not as dynamic as it was when CoreOS was an independent company.

#3. Grype

Grype is an open source scanner developed by Anchore. It is the successor to Anchore Engine, an image scanner that Anchore no longer maintains.

Key features:

  • Accuracy: Grype emphasizes scan accuracy and the minimization of false positives.
  • OpenVEX support: Can use VEX to augment scan results.

Pros: Grype’s focus on accuracy can save time by reducing distracting false positives, and VEX support may help to speed remediation.

Cons: Only supports container image scans; cannot scan other types of resources. Most valuable when used as part of the larger Anchore platform (which is not entirely free or open source).

#4. Dagda

Dagda is a vulnerability scanner for container images.

Key features:

  • Malicious software detection: Dagda’s main focus is on detecting trojans, viruses, and other malicious code inside container images.
  • Container runtime security integration: Dagda can integrate with Falco, an open source container runtime solution, to help secure live containers in addition to protecting container images.
  • Scan history: Dagda can store scan results in MongoDB so that you can track changes to the security status of containers over time.

Pros: A useful tool if your main focus is on vulnerabilities linked to malicious code.

Cons: Focuses on malware detection; may not identify risks that arise from insecure configurations, or in languages that Dagda doesn’t support.

#5. OpenSCAP

OpenSCAP is an open source platform designed to analyze the security compliance of systems based on predefined security profiles.

Key features:

  • Container image scanning: OpenSCAP can scan container images for vulnerabilities, in addition to performing a wide range of other types of scans.
  • Compliance assessment: The main purpose of OpenSCAP is to provide an overall security compliance assessment of systems.

Pros: Consider OpenSCAP if you want to validate the overall security status of your platform or environment.

Cons: If container scanning alone is your primary goal, OpenSCAP may be overkill because it’s not an image scanner per se; it’s a security compliance assessment platform that includes image scanning capabilities.

#6. Dockle

Dockle is a container image “linting” tool focused on detecting misconfigurations rather than vulnerabilities or malware, inside container images.

Key features:

  • Configuration assessment: Dockle scans configuration data inside container images to detect risks that deviate from recognized best practices.
  • Benchmark-based scanning: Dockle detects risks based on the CIS benchmarks.

Pros: Useful for validating that configurations and executable commands inside container images conform to security best practices.

Cons: Doesn’t detect software vulnerabilities or malware; only scans for insecure configurations (as defined by CIS benchmarks).

#7. Tern

Tern is an open source tool for generating SBOMs for container images.

Key features:

  • Software Composition Analysis: Tern performs Software Composition Analysis (SCA) to identify third-party components inside container images.
  • Dockerfile support: Tern can scan Dockerfiles (which are used to create images) as well as images themselves.
  • Flexible reporting: Supports multiple formatting options for generating scan results.

Pros: Flexible tool for identifying third-party risks within container images.

Cons: Focuses on vulnerable third-party software components; may miss vulnerabilities that stem from misconfigurations. Little development activity as of 2025.

Container image scanning with Aqua Trivy: Getting started

As an open source container image scanner. that can detect virtually all types of risks in any type of container image – as well as in other types of files and repositories – Aqua Trivy is a powerful and comprehensive scanning tool. In addition, Aqua Trivy’s flexible reporting and automation capabilities make it a highly adaptable solution that integrates efficiently with the tools your team already uses.

To see for yourself, go ahead and give Aqua Trivy a try. You can deploy Aqua Trivy as a Docker container with a single command:

docker run aquasec/trivy

Or, install using a binary from GitHub.

Then, simply point Aqua Trivy at what you want to scan. For example:

trivy image python:3.4-alpine

But we’re just scratching the surface here. For a deep dive into Aqua Trivy – and to see how it integrates with the Aqua platform to enable automated security at scale – request a demo.

Container Image Scanning Tools FAQs
What is container image scanning?

 

Container image scanning is the practice of analyzing container images for security risks, such as vulnerable software components and configuration mistakes. While scanners don’t monitor running containers for security risks (that is the job of container runtime security software), scanning can identify security problems within the images that are used to execute applications, making it a key part of the container security process, often complemented by SBOM generation to enhance supply chain security and regulatory compliance.

Which tools are used for container security?

Several types of tools factor into the container security process. First, teams should use security scanners (such as SAST and DAST tools) during the application development process to detect risks in their application code itself. Then, after creating a container image that includes their application, they should scan the image using tools designed to detect risks inside container image files, since other scanning tools may not detect these problems.

 

Container security should also include runtime security tools, which monitor running containers for signs of breaches or attack. Finally, securing the rest of the container environment – including host servers and orchestrators (like Kubernetes), if they are used to manage containers – is an important part of container security as well, and should be addressed using tools designed for this purpose.

Which tool is best for vulnerability scanning?

 

There is no single “best” tool for vulnerability scanning; instead, you should evaluate scanners based on a variety of factors. These may include the accuracy of the scans, the types of risks and vulnerabilities that the tool can detect, the way the tool reports scan results, and how the tool integrates with other tools or platforms. Consider as well how actively developed the tool is; projects that show little development activity may not be updated to address new types of risks or add useful features.

What is the difference between OWASP and Aqua Trivy?

 

OWASP, which stands for the Open Worldwide Application Security Project, is a group that offers guidance on cybersecurity by (among other activities) publishing “top ten” guides to common risks and vulnerabilities. Aqua Trivy is a vulnerability scanner that can detect security risks in container images and other types of resources. Thus, while OWASP provides general guidance about the types of risks to search for (and includes Aqua Security software on its list of recommended security solutions) Trivy and other Aqua Security solutions are useful tools for actually detecting and managing risks.