Scanner Comparison¶
A detailed comparison of all scanners supported by Mayo ASPM.
Overview¶
| Feature | Grype | Trivy | Semgrep | Gitleaks |
|---|---|---|---|---|
| Type | SCA | SCA + Container + IaC | SAST | Secret Detection |
| What it detects | Dependency CVEs | Dependency CVEs, container vulns, IaC misconfig | Code-level vulns | Hardcoded secrets |
| Speed | Fast | Fast | Medium | Fast |
| Accuracy | Very high | Very high | High | Medium-High |
| False positive rate | Very low | Very low | Low-Medium | Medium |
Detection capabilities¶
Vulnerability types¶
| Vulnerability type | Grype | Trivy | Semgrep | Gitleaks |
|---|---|---|---|---|
| Known CVEs in dependencies | Yes | Yes | No | No |
| SQL injection | No | No | Yes | No |
| Cross-site scripting (XSS) | No | No | Yes | No |
| Server-side request forgery | No | No | Yes | No |
| Path traversal | No | No | Yes | No |
| Insecure deserialization | No | No | Yes | No |
| Hardcoded passwords | No | No | Partial | Yes |
| API keys and tokens | No | No | No | Yes |
| Private keys | No | No | No | Yes |
| Container image CVEs | No | Yes | No | No |
| Dockerfile misconfigurations | No | Yes | Yes | No |
| Terraform misconfigurations | No | Yes | Yes | No |
| License compliance | No | Yes | No | No |
Package manager support (SCA)¶
| Package manager | Grype | Trivy |
|---|---|---|
| npm / yarn / pnpm | Yes | Yes |
| pip / poetry / pipenv | Yes | Yes |
| Go modules | Yes | Yes |
| Maven / Gradle | Yes | Yes |
| NuGet (.NET) | Yes | Yes |
| Cargo (Rust) | Yes | Yes |
| RubyGems | Yes | Yes |
| Composer (PHP) | Yes | Yes |
| CocoaPods (Swift) | Yes | Yes |
| Hex (Elixir) | Yes | Yes |
| CPAN (Perl) | Partial | Partial |
Language support (SAST)¶
Semgrep is the only SAST scanner. It supports:
| Language | Coverage level |
|---|---|
| JavaScript / TypeScript | Extensive |
| Python | Extensive |
| Java / Kotlin | Extensive |
| Go | Strong |
| Ruby | Strong |
| PHP | Strong |
| C# | Strong |
| Rust | Moderate |
| Swift | Moderate |
| Scala | Moderate |
| Bash / Shell | Basic |
| Terraform (HCL) | Strong |
| YAML / JSON | Basic |
Performance comparison¶
Benchmarks on a typical medium-sized repository (~50,000 lines of code):
| Scanner | Scan time | Memory usage | CPU usage |
|---|---|---|---|
| Grype | 10-15 seconds | ~200 MB | Low |
| Trivy | 15-30 seconds | ~300 MB | Low |
| Semgrep | 60-180 seconds | ~500 MB | Medium |
| Gitleaks | 5-10 seconds | ~100 MB | Low |
PR scan performance¶
| Scanner | Typical PR scan time | Impact on CI |
|---|---|---|
| Grype | 10-20 seconds | Negligible |
| Trivy | 15-30 seconds | Negligible |
| Semgrep | 30-120 seconds | Moderate |
| Gitleaks | 5-15 seconds | Negligible |
Vulnerability database¶
| Scanner | Database | Update frequency | Source |
|---|---|---|---|
| Grype | Grype DB | Multiple times daily | NVD, GitHub Advisories, vendor feeds |
| Trivy | Trivy DB | Multiple times daily | NVD, GitHub Advisories, vendor feeds, Red Hat, Alpine |
| Semgrep | Semgrep Registry | Weekly | Semgrep community + Mayo ASPM custom rules |
| Gitleaks | Gitleaks rules | Monthly | Gitleaks community patterns |
Recommended combinations¶
Minimum coverage¶
Fast, high-signal. Covers dependency CVEs and secret detection.
Standard coverage¶
Adds SAST for code-level vulnerability detection.
Comprehensive coverage¶
Full coverage including container images and IaC.
Container-focused¶
Best for containerized workloads. Trivy covers dependencies, images, and IaC.
Grype vs. Trivy¶
These two scanners overlap in SCA capability. Key differences:
| Feature | Grype | Trivy |
|---|---|---|
| Focus | SCA only | Multi-purpose |
| Container scanning | No | Yes |
| IaC scanning | No | Yes |
| OS package scanning | No | Yes |
| License scanning | No | Yes |
| Scan speed (SCA only) | Slightly faster | Slightly slower |
| Database freshness | Comparable | Comparable |
Recommendation: Use Grype for pure SCA workloads. Use Trivy when you also need container or IaC scanning. Using both for SCA provides marginal benefit.
Next steps¶
- Supported languages — detailed language coverage
- Scanner selection guide — choosing scanners for your stack
- PR scanning strategy — scanner selection for PRs