Scanner Application dependencies (static)

Tool OS Packages Non-OS Packages Dynamic

gem, pip, poetry, composer, yarn,
Trivy apk, rpm, dpkg, yum cargo x
Clair apk, rpm, dpkg, yum python x
Anchore apk, rpm, dpkg, yum gem, pip, npm x

OS packages: If the tool can scan OS packages for vulnerabilities.

Non-OS packages: If the tool can scan non-OS packages, i.e., dependencies or other packages, for
vulnerabilities.

Trivy is an open-source free-to-use image scanner that can detect vulnerabilities in OS and non-OS
packages. Trivy can also scan for example Dockerfiles for configuration issues. The tool can also scan for
hardcoded passwords, API keys, or tokens. It uses the Aqua Vulnerability Database that collects data
from NVD, software vendor advisories, and Kube-Hunter.

Files inside container images (scanning for vulnerabilities, misconfig, secrets, licenses)

Vulnerabilities - Trivy detects known vulnerabilities according to the versions of installed packages.
The following packages are supported.
OS packages
Language-specific packages
Kubernetes components (control plane, node and addons)
Trivy downloads the vulnerability database every 6 hours. Trivy uses two types of databases for
vulnerability detection:
Vulnerability Database
Java Index Database

Misconfiguration – policy based checked. Misconfiguration detection is enabled, Trivy pulls the
OPA(Open Policay Agent) bundle from github container registry as an OCI artifact and stores it in the
cache. Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
For the custom based policies – need to used the follow types of config:

 CloudFormation (JSON/YAML)
 Kubernetes (JSON/YAML)
 Helm (YAML)
 Terraform Plan (JSON)

Container image metadata

Secret scanning - Trivy scans any container image, filesystem and git repository to detect exposed
secrets like passwords, api keys, and tokens. Secret scanning is enabled by default.

License scanning - Trivy scans any container image for license files and offers an opinionated view on
the risk associated with the license.
Anchore Engine is a docker container static analysis and policy-based compliance tool and open-source
free-to-use image scanner that can identify vulnerabilities, malware, misconfigurations, and secrets. It
can detect vulnerabilities in OS and non-OS packages. The vulnerability database draws data from the
National Vulnerability Database, but no further information could be retrieved.
But, As of 2023, Anchore Engine is no longer maintained as an active project. Users are recommended to
install Syft or Grype.

Anchore Engine is fully integrated with Grype by default for vulnerability scanning. The V2 vulnerability
scanner, based on Grype, replaces the legacy vulnerability scanner in previous versions of Anchore
Engine. The V2 vulnerability scanner based on Grype has its own feed sync mechanism using the Grype
vulnerability database.

Anchore takes a data-driven approach to analysis and policy enforcement. The system essentially has
phases for each image analyzed – fetch, analyze, save, evaluate, update and notify, repeat.

Primary interface is a RESTful API - analysis, policy evaluation, and monitoring of images in registries.
Anchore engine exposes two RESTful web services – API service, K8s webhook.
REST API or CLI the Anchore Engine can be queried for image data and policy evaluations –
 Image metadata
 Image content (files, packages, software libraries)
 Image vulnerabilities
 Historic image data
 Image policy status

Analyzing images - image is submitted to the Anchore Engine for analysis the Engine will attempt to
retrieve metadata about the image from the Docker registry and if successful will download the image
and queue the image for analysis. (pull the image)

Malware scanning - use the open-source ClamAV malware scanner to detect malicious code embedded
in container images.

Content Hints - Anchore Engine includes the ability to read a user-supplied ‘hints’ file to allow users to
add software artifacts to Anchore’s analysis report. The hints file, if present, contains records that
describe a software package characteristic explicitly, and are then added to the software bill of materials
(SBOM).
Clair is an open-source free-to-use scanning tool. It scans images layer by layer to provide a notification
of vulnerabilities that may be a threat. Clair can detect vulnerabilities in OS and non-OS packages.
Vulnerabilities found are based on the CVE database and similar databases from Red Hat, Ubuntu, and
Debian, etc. This is done via static analysis and not at runtime.

Clair's analysis is broken into three distinct parts. Indexing, Matching, Notifications.

Indexing - Indexing starts with submitting a Manifest to Clair. On receipt, Clair will fetch layers, scan
their contents, and return an intermediate representation called an IndexReport.

Matching - Matching is taking an IndexReport and correlating vulnerabilities affecting the manifest the
report represents.

Notifications - When new vulnerabilities are discovered, the notifier service will determine if these
vulnerabilities affect any indexed Manifests.

Clair is officially packaged and released as a container at quay.io/projectquay/clair. The latest tag tracks
the git development branch, and version tags are built from the corresponding release.

Claircore - Claircore is the engine behind the Clair v4 container security solution. The Claircore package
exports our domain models, interfaces necessary to plug into our business logic, and a default set of
implementations.

Indexer – image manifest  Libindex  Indexreport  database

Matcher – database  indextreport  Libvuln  Vulnreport

Summary:

Trivy might be prioritize the simplify and speed of testing the images, especially CI/CE integration. But, it
may lack of the advanced features provided by more comprehensive container security platforms. And,
Trivy is less advanced policy management and customization options.

Anchore in-depth image analysis, compliance checks, policy-based evaluations, and provides robust
solution. But, the complexity and flexibility of Anchore lead to deeper learning for the new user to the
container security.

Clair is simplicity and integration into container orchestration systems are key considerations but lacks
of runtime monitoring capabilities.