In March 2026, Trivy’s release infrastructure was compromised in a supply chain attack. Attackers hijacked GitHub Actions tags, published fake releases, and pushed malicious images to Docker Hub. As of March 25, 2026, vulnerability database updates remain suspended. For a detailed technical breakdown of the attack, see the comprehensive write-up on the Trivy compromise (Japanese).

Meanwhile, tfsec has been in maintenance-only mode since February 2023 when Aqua Security announced its consolidation into Trivy. The last release, v1.28.14 (May 2025), contained only a dependency CVE fix. No new scanning rules have been added since early 2024.

Given these developments, we investigated what alternatives exist beyond Trivy and tfsec. This article compares tools for both vulnerability scanning and IaC scanning, and provides selection criteria to help teams diversify their security tooling.

Why Evaluate Alternatives Now

Trivy’s scanning engine itself was not compromised. The attack targeted release infrastructure and distribution channels. With SHA pinning and cosign verification, continued use is viable.

However, relying on Trivy as your sole scanning tool carries risk:

• Vulnerability database updates are suspended, meaning vulnerabilities disclosed after the incident cannot be detected
• Incident response is still ongoing with no announced timeline for full restoration
• The attack cascaded to Checkmarx KICS and npm packages, highlighting how single-vendor dependency concentrates risk

As for tfsec, Aqua Security has made its consolidation into Trivy explicit. It is no longer a realistic choice for new projects.

Vulnerability Scanning Tools

These tools scan container images and application dependencies for known vulnerabilities.

Grype (Anchore)

Grype is an Apache 2.0 licensed open-source vulnerability scanner distributed as a single binary with no dependencies.

Strengths

• Composite risk scoring combining CVSS, EPSS (Exploit Prediction Scoring System), and CISA KEV catalog status for more precise vulnerability prioritization than Trivy
• Pairs with Syft for SBOM-first workflows
• Incremental database updates reduce bandwidth consumption in high-frequency scanning environments
• ~11,500 GitHub stars with frequent releases (e.g., v0.110.0 as of March 2026)

Limitations

• Focused exclusively on vulnerability matching. Does not scan IaC, detect secrets, or check licenses
• Unlike Trivy’s “all-in-one” approach, separate tools are needed for each scanning domain

Best for: Teams that prioritize open-source tooling with accurate vulnerability detection and prioritization.

Docker Scout

Docker Scout is a freemium scanning service deeply integrated with Docker Hub and Docker Desktop.

Strengths

• Event-driven vulnerability detection that flags new CVEs without re-scanning
• Automatic base image upgrade recommendations that show how to resolve vulnerabilities
• Tight Docker Desktop integration lets developers see scan results locally

Limitations

• Heavily tied to the Docker ecosystem; limited value if not using Docker Hub
• Not open-source; freemium pricing model
• Less flexible in CI/CD environments compared to Grype or Trivy

Best for: Teams whose development workflow centers on Docker Hub and Docker Desktop.

Snyk Container / Open Source

Snyk is a commercial tool (with a limited free tier) designed with developer experience as a priority.

Strengths

• Reachability Analysis determines whether vulnerable code is actually invoked, dramatically reducing false positives
• Goes beyond flagging issues by generating automated fix pull requests and base image change suggestions
• Rich integrations with GitHub, GitLab, Bitbucket, and other platforms

Limitations

• Commercial license required ($25/developer/month, scaling to $5,000-$70,000/year for enterprise)
• Restrictions on free usage for open-source projects

Best for: Enterprise organizations that need commercial support, a unified dashboard, and want to minimize developer remediation effort.

Vulnerability Scanning Comparison

Criteria	Grype	Docker Scout	Snyk
License	Apache 2.0	Freemium	Commercial (free tier)
Scan targets	Container / FS / SBOM	Container (Docker-centric)	Container / OSS dependencies
Prioritization	CVSS + EPSS + KEV	CVSS	CVSS + Reachability Analysis
SBOM integration	Syft	Docker SBOM	Snyk SBOM
Auto-fix suggestions	No	Base image recommendations	Automated fix PRs
CI/CD integration	CLI / GitHub Actions	Docker CLI / GitHub Actions	CLI / multiple CI platforms
GitHub Stars	~11,500	N/A (not OSS)	N/A (commercial)

IaC Scanning Tools

These tools detect misconfigurations in Terraform, CloudFormation, and other infrastructure-as-code definitions.

Checkov (Bridgecrew / Palo Alto Networks)

Checkov is the most feature-rich open-source IaC scanner available today.

Strengths

• The key differentiator is graph-based cross-resource analysis. It validates relationships between resources (e.g., not just whether an S3 bucket is encrypted, but whether an internet gateway can route to it)
• 1,000+ built-in policies covering CIS, SOC 2, PCI DSS, NIST, and HIPAA
• Supports 12+ IaC platforms: Terraform, CloudFormation, Kubernetes, Helm, Bicep, OpenTofu, and more
• Apache 2.0 licensed, 80M+ downloads, very high release frequency (v3.2.510 as of March 2026)

Limitations

• Written in Python, so installation and runtime dependencies are slightly more complex than Go-based binary tools (Trivy, tfsec)
• Graph-based analysis is powerful but has a learning curve for custom rule authoring

Best for: Teams operating large-scale cloud infrastructure who need deep detection of cross-resource misconfigurations.

KICS (Checkmarx)

KICS stands out for its breadth of supported IaC platforms.

Strengths

• Supports 22+ platforms (Terraform, CloudFormation, Kubernetes, Ansible, Docker Compose, GitHub Workflows, Pulumi, OpenAPI, and more)
• 2,400+ built-in Rego queries
• Custom rule creation is straightforward for teams with OPA (Open Policy Agent) experience

Limitations

• Its GitHub Action was compromised by TeamPCP on March 23, 2026. Avoid tag-based references until the incident is fully remediated; use SHA pinning or direct CLI execution
• Does not offer Checkov’s graph-based cross-resource analysis

Best for: Teams with diverse IaC stacks who already use OPA/Rego for policy management.

Other IaC Scanning Tools

Tool	Status	Notes
Terrascan	Archived	Tenable archived the repository in November 2025. Do not adopt
Regula	Archived	Archived in 2024. Effectively abandoned
Conftest	Active	General-purpose OPA/Rego policy testing. Requires writing your own rules, so positioned differently from Checkov or KICS with their extensive built-in policies

IaC Scanning Comparison

Criteria	Checkov	KICS	Conftest
License	Apache 2.0	Apache 2.0	Apache 2.0
Supported platforms	12+	22+	Any (via Rego)
Built-in policies	1,000+	2,400+	None (bring your own)
Cross-resource analysis	Yes (graph-based)	No	No
Compliance frameworks	CIS / SOC 2 / PCI DSS / NIST / HIPAA	CIS / NIST	None
GitHub Stars	~8,500	~2,600	~3,100
March 2026 compromise impact	None	GitHub Action compromised	None

Recommended Combinations

Based on our findings, here are two practical strategies.

Strategy A: Continue with Trivy + Defense in Depth

Preserve Trivy’s “one tool covers everything” convenience while distributing risk.

Domain	Tool	Role
Vulnerability scanning (primary)	Trivy v0.69.3 (SHA-pinned)	Maintain existing workflows
Vulnerability scanning (secondary)	Grype	Defense-in-depth; fallback during Trivy DB outage
IaC scanning	Checkov	Cross-resource analysis complementing Trivy config

If continuing with Trivy, follow GitHub’s official guidance by pinning all Actions to full commit SHAs, pulling container images by digest, and verifying binaries with cosign.

Strategy B: Full Migration Away from Trivy

Eliminate Aqua Security dependency entirely and remove single-vendor risk.

Domain	Tool	Role
Vulnerability scanning	Grype	Container/FS vulnerability detection
SBOM generation	Syft	SBOM workflow paired with Grype
IaC scanning	Checkov	Graph-based IaC analysis

This stack is entirely Apache 2.0 open-source. It does not offer Trivy’s single-tool convenience, but each tool excels in its domain, which can yield better scanning accuracy overall.

CI/CD Measures to Adopt Regardless of Tool Choice

No matter which tools you select, your CI/CD pipeline itself needs hardening. The Trivy compromise highlighted these essential measures:

• Pin GitHub Actions to full commit SHAs: Mutable tags (@v0.34.0 etc.) being rewritten was the core mechanism of this attack. Pin all third-party Actions to 40-character commit SHAs
• Adopt OIDC for short-lived tokens: Use GitHub Actions OIDC so runners never hold static credentials
• Minimize GITHUB_TOKEN permissions: Default to read via explicit permissions blocks
• Ephemeralize self-hosted runners: Destroy runners after each job with no persistent data
• Audit pull_request_target workflows: This trigger grants secret access to fork PRs and should be reviewed

For detailed guidance on these measures, see the Trivy compromise write-up (Japanese) and GitHub’s official security hardening documentation.

Conclusion

Trivy’s scanning engine remains sound, and continued use is viable with proper precautions. However, given the suspended database updates and ongoing investigation, eliminating single-tool dependency and building defense-in-depth is the practical response.

For vulnerability scanning, Grype is the strongest open-source alternative. Its composite risk scoring with EPSS and KEV offers prioritization that Trivy lacks. On the commercial side, Snyk’s reachability analysis and automated fix PRs are effective at reducing developer remediation burden.

For IaC scanning, Checkov’s graph-based analysis provides a unique advantage. By validating cross-resource relationships, it catches configuration issues that single-resource attribute checks miss.

Regardless of tool choice, CI/CD pipeline hardening (SHA pinning, OIDC adoption, ephemeral runners) is non-negotiable. We recommend reviewing pipeline design alongside tool selection.

That’s all from the Gemba, preparing for an era where security scanners themselves become supply chain attack targets.