Trivy, the industry's leading open source security scanner is proudly maintained by Aqua Security.
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
In this page you can find a high level comparison table specific to Trivy users.
In addition check out the https://aquasec.com website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: https://www.aquasec.com/demo
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Interface | CLI tool | CLI tool Enterprise-grade web application SaaS or on-prem |
| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization Visually discover risks across your organization |
| User management | - | Multi account Granular permissions (RBAC) Single Sign On (SSO) |
| Support | Some skills required for setup and integration Best effort community support |
Personal onboarding by Aqua Customer Success SLA backed professional support |
| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently Highly available production grade architecture |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
| New Vulnerabilities SLA | No SLA | Commercial level SLA |
| Package managers | Find packages in lock files | Find packages in lock files or installed packages on disk |
| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution Vulnerability tracking and suppression Incident lifecycle management |
| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools: Accessibility of the affected resources Exploitability of the vulnerability Open Source packages health and trustworthiness score Affected image layers |
| Reachability analisys | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
| Compiled binaries | Find embedded dependencies in Go and Rust binaries Find SBOM by hash in public Sigstore |
In addition, identifies popular applications by huristics |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Windows containers | - | Support scanning windows containers |
| Scan container registries | - | Connect to any container registries and automatically scan it |
| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports different registry specific authentication schemes |
| Layer cache | Local cache directory | Scalable Cloud cache |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Malware scanning | - | Scan container images for malware |
| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
| Container engine | - | Block incompliant images from running at container engine level |
| Block vulnerable packages | - | vShield – monitor and block usage of vulnerable packages |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Detected patterns | Basic patterns | Advanced patterns |
| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Infrastructure as Code (IaC) | Many popular languages as detailed here | Same as Trivy |
| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface Customize existing checks with organizational preferences |
| Cloud scanning | AWS, Azure, GCP | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
| Compliance frameworks | CIS, vendor guides | More than 25 compliance programs |
| Custom compliance | Manually in text file | Create your own compliance program through a web application |
| Remediation advice | Basic | AI powered specialized remediation guides |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| User experience - trigger scan | CLI Automated with Kubernetes Operator |
Automated with Kubernetes Operator Advanced UI web application |
| User experience - consume results | kubectl/CRD Prometheus exporter |
kubectl/CRD Advanced UI dashboards Automatic notifications and incident management |
| Cluster discovery | Kubectl/Kubeconfig | Automatic discovery thorough cloud |
| Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
| Scope | Single cluster | Multi cluster, Cloud relationship |
| Scalability | Reports limited by in-cluster storage (size and number of reports) | Cloud-based storage (unlimited scalability) |