DEV Community

Aiden Bolin
Aiden Bolin

Posted on • Originally published at mindsparkstack.com

Vuls vs Trivy vs Grype: when to pick which CVE scanner (from the team that built one more)

#cybersecurity #linux #devops #opensource

Vuls vs Trivy vs Grype: when to pick which CVE scanner

I shipped a CVE patch-ops tool last month. The most common feedback from engineers, in order:

  1. "Why not just use Vuls?"
  2. "Doesn't Trivy already do this?"
  3. "Isn't Grype better?"

All three are fair. They are all good. Here is the honest comparison I wish someone had handed me before I built mine.

Vuls.io — the original self-hosted host scanner

Vuls is the closest open-source equivalent to a managed patch-ops product. It's mature (started in 2016), in Go, and it does the same fundamental work: pull advisories from the upstream feeds, snapshot your box's package state, match.

Pick Vuls if:

  • You want everything on-prem / air-gapped — no third party sees your inventory.
  • You have at least an afternoon of ops time to wire it up (config server, cron, report exporter, your own alerting).
  • You're comfortable writing your own remediation playbooks. Vuls tells you the package + fixed version; what you do with it is up to you.
  • You already have a Prometheus/Grafana stack you can plug the JSON output into.

Skip Vuls if:

  • You're a 1-3 person dev shop and ops time is the bottleneck. You'll set it up, it'll run for two weeks, then a cron will silently fail and you'll forget about it for two months.

Trivy — containers and IaC, host CVEs as a bonus

Trivy from Aqua is the most popular scanner now, but it's container-and-IaC-shaped. It scans images, Dockerfiles, Terraform/CloudFormation, Kubernetes manifests, SBOM files, and yes — also host filesystems via trivy rootfs /. The latter is a real feature, but it's a sidecar to the container story.

Pick Trivy if:

  • Your security risk is concentrated in container images and you ship a lot of them.
  • You want SBOM generation + license scanning + secret detection + misconfig in one binary.
  • You're running Kubernetes and want admission-controller integration.

Skip Trivy for host CVE management if:

  • Your fleet is bare-metal VPSes (no containers) — you're paying for a container model that doesn't fit your shape.
  • You want per-host audit URLs that your customers can read, not just a CLI report.

Grype — SBOM-first, simple

Grype from Anchore is the cleanest of the three. Generate an SBOM with syft, pipe it to grype, get findings. It does exactly that and not much else.

Pick Grype if:

  • You're already producing SBOMs as part of your build pipeline (you should be).
  • You want a tool that does one thing well — match SBOM packages against the vulnerability DB.
  • You're scripting CI gates and need predictable exit codes.

Skip Grype if:

  • You want the fix-action layer ("here is the apt command to run") — Grype is a finder, not a fixer.
  • You need continuous monitoring of a running host, not a snapshot at build time.

StackPatch — the one I built

Built specifically for indie SaaS shops running 1-3 Linux boxes. The bet is that the gap between "free OSS scanners you have to babysit" and "$25-50K/yr Snyk-class products" leaves out tens of thousands of indie founders. So:

  • Hosted by us. No apt install vuls. SSH read-only or a small read-only agent, both of which you can revoke instantly.
  • Action-first. Every finding ships with the exact apt install --only-upgrade pkg=fixed-version one-liner, or the modprobe blacklist syntax for kernel-module CVEs, or the pro attach + apt upgrade flow for Ubuntu Pro / ESM fixes.
  • Public audit URL per server. A read-only URL you can hand to your enterprise prospects: "here is our security posture, timestamped." Replaces the emailed PDF that's stale a week later.
  • Indie-priced. $99 lifetime for the first 50 founders, then $19-49/mo. Snyk's smallest sales-team-required tier is roughly 10x that.

Pick StackPatch if:

  • You're a solo founder or 1-3 person team on Ubuntu / Debian / Alpine / AlmaLinux / Rocky.
  • You want patch ops to be a 5-minute habit, not a 5-hour setup.
  • You want a public security URL more than you want CLI integration.

Skip StackPatch if:

  • You need air-gap / on-prem — use Vuls.
  • Your scope is container images, not running hosts — use Trivy.
  • You're already producing SBOMs in CI — use Grype.

Decision matrix

Shape Best fit
Bare-metal VPS fleet, no security team StackPatch (hosted) or Vuls (self-hosted)
Container-heavy CI/CD Trivy
SBOM-driven build pipeline Grype
Air-gapped / no third party allowed Vuls
Enterprise + budget + compliance team Snyk / Tenable / Wiz

The competitive landscape is honest. I'm not pretending StackPatch beats Vuls on universality or Trivy on container coverage. I'm betting on a different problem shape: indie founders who'd pay $19-99 for a hosted patch-ops tool that hands them a per-server URL and an exact remediation command.

If you're in that shape, the free quickscan takes 30 seconds. If you're in a different shape, one of the other three is the right answer — and I'd rather lose the sale than be the wrong tool for your workload.

Full comparison breakdowns are on /patch/vs-vuls, /patch/vs-trivy, and /patch/vs-grype. Comments open — I'll defend or concede whichever way the argument goes.

Top comments (0)