docs/commercial/compare.md
Trivy is proudly maintained by Aqua Security. If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering. In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product. If you'd like to learn more or request a demo, click here to contact us.
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Interface | CLI tool | CLI tool |
| Enterprise-grade web application | ||
| SaaS or on-prem | ||
| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization |
| Visually discover risks across your organization | ||
| User management | - | Multi account |
| Granular permissions (RBAC) | ||
| Single Sign On (SSO) | ||
| Support | Some skills required for setup and integration | |
| Best effort community support | Personal onboarding by Aqua Customer Success | |
| SLA backed professional support | ||
| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently |
| Highly available production grade architecture | ||
| Rate limiting | Assets hosted on public free infrastructure and could be rate limited | Assets hosted on Aqua infrastructure and does not have limitations |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
| New Vulnerabilities SLA | No SLA | Commercial level SLA |
| Package managers | Find packages in lock files | Find packages in lock files or reconstructed lock files |
| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution |
| Vulnerability tracking and suppression | ||
| Incident lifecycle management | ||
| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools: |
| Accessibility of the affected resources | ||
| Exploitability of the vulnerability | ||
| Open Source packages health and trustworthiness score | ||
| Affected image layers | ||
| Reachability analysis | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
| Compiled binaries | Find embedded dependencies in Go and Rust binaries | |
| Find SBOM by hash in public Sigstore | In addition, identify popular applications |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Windows containers | - | Support scanning windows containers |
| Scan container registries | - | Connect to any container registries and automatically scan it |
| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports registry specific authentication schemes |
| Layer cache | Local cache directory | Scalable Cloud cache |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Malware scanning | - | Scan container images for malware |
| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
| CI/CD policies | Can fail the entire build on any finding | Granular policies to fail builds based on custom criteria |
| Container engine | - | Block incompliant images from running at container engine level |
| Block vulnerable packages | - | vShield – monitor and block usage of vulnerable packages |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Detected patterns | Basic patterns | Advanced patterns |
| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Infrastructure as Code (IaC) | Many popular languages as detailed here | In addition, Build Pipeline configuration scanning |
| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface |
| Customize existing checks with organizational preferences | ||
| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
| Custom compliance | Create in YAML | Create in a web UI |
| Remediation advice | Basic | AI powered specialized remediation guides |
| Feature | Trivy OSS | Aqua |
|---|---|---|
| Scan initiation | CLI / Kubernetes Operator | Kubernetes Operator / Management web application |
| Results consumption | kubectl / CRD / Prometheus exporter | In addition, Advanced UI dashboards, Automatic notifications and incident management flows |
| Cluster discovery | Kubeconfig | Automatic discovery thorough cloud onboarding |
| Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
| Scope | Single cluster | Multi cluster, Cloud relationship |
| Scalability | Reports limited by in-cluster etcd storage (size and number of reports) | Cloud-based storage (unlimited scalability) |