An Empirical Analysis of Open-Source Container Vulnerability Scanners: A Case Study of Trivy and Grype

Containerization has become the standard for modern software deployment, yet the security of container images remains a critical challenge. As organizations shift towards DevSecOps, vulnerability scanning is becoming an essential practice in CI/CD pipelines. However, selecting the appropriate tool remains difficult due to opaque scanning logic and differing vulnerability databases. This paper presents a comparative analysis of two leading open-source scanners: Trivy (by Aqua Security) and Grype (by Anchore). Using a diverse test bench of six container images, including End-of-Life (EOL) operating systems and complex applications, we evaluated both tools based on performance (scan time and memory usage) and accuracy (vulnerability detection counts). My findings reveal significant philosophical differences: Grype consistently detects historical vulnerabilities in EOL software where Trivy reports zero, whereas Trivy demonstrates significantly lower memory footprints in most scenarios. We also identify critical performance anomalies, such as Trivy's default Java database download causing a 10x slowdown in specific environments.