Generated at 2026-07-10 22:23 UTC
| Tool | Latest | Updated | Type | License | Pricing | Container | Lang/Lib | SBOM | Policy | Centralized Mgmt |
|---|---|---|---|---|---|---|---|---|---|---|
| FutureVuls Features ↗ |
2026-06 [Hotfix] | 2026-06-01 | SaaS | Proprietary | Paid | ✅ | ✅ | ✅ | ❌ | ✅ |
| Yamory Features ↗ |
2026-06-25 | 2026-06-25 | SaaS | Proprietary | Paid | ✅ | ✅ | ✅ | ❌ | ✅ |
| Trivy Features ↗ |
v0.72.0 | 2026-06-30 | OSS | Apache-2.0 | Free | ✅ | ✅ | ✅ | ✅ | ❌ |
| Grype Features ↗ |
v0.115.0 | 2026-06-26 | OSS | Apache-2.0 | Free | ✅ | ✅ | ✅ | ❌ | ❌ |
| OSV-Scanner Features ↗ |
v2.4.0 | 2026-06-18 | OSS | Apache-2.0 | Free | ✅ | ✅ | ✅ | ❌ | ❌ |
| Syft Features ↗ |
v1.46.0 | 2026-06-26 | OSS | Apache-2.0 | Free | ✅ | ✅ | ✅ | ❌ | ❌ |
| Vuls Features ↗ |
v0.39.3 | 2026-06-09 | OSS | GPL-3.0 | Free | ✅ | ✅ | ❌ | ❌ | ❌ |
| Clair Features ↗ |
v4.9.0 | 2025-12-10 | OSS | Apache-2.0 | Free | ✅ | ❌ | ❌ | ❌ | ❌ |
| Dependency-Check Features ↗ |
v12.1.0 | 2025-02-17 | OSS | Apache-2.0 | Free | ❌ | ✅ | ❌ | ❌ | ❌ |
| Tool | Container | Lang/Lib | SBOM | Policy | IaC | Secret Detection | License Scan | Build Plugin | API Server | SSH Agentless | Dashboard | Centralized Mgmt | Unique Features |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Trivy Features ↗ |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | • IaC scanning (Terraform, Kubernetes manifests, Helm, Dockerfile) • Secret / credential detection • License compliance scanning • Multiple output formats (SARIF, SBOM, table, JSON) |
| FutureVuls Features ↗ |
✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | • Ticket management for vulnerability triage and remediation tracking • Team management with role-based access control • SLA tracking and compliance reporting • Cloud SaaS built on OSS Vuls engine • OSS license detection with GPL violation warning |
| Yamory Features ↗ |
✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | • OSS license management and compliance • Vulnerability prioritization support • CI/CD pipeline integration • Japanese-first support and UI |
| Syft Features ↗ |
✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | • Outputs SBOM in multiple formats (SPDX, CycloneDX, Syft JSON, GitHub SBOM) • Focused on SBOM generation only — no built-in vulnerability scanning • Paired with Grype for a complete scan pipeline |
| Grype Features ↗ |
✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | • Accepts SBOM files (SPDX, CycloneDX, Syft JSON) as direct scan input • Tight integration with Syft for SBOM-driven vulnerability pipeline • Supports VEX (Vulnerability Exploitability eXchange) for filtering |
| OSV-Scanner Features ↗ |
✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | • Uses Google's OSV (Open Source Vulnerabilities) database — community maintained • Lockfile-based scanning for accurate dependency resolution • Git commit history scanning for introduced vulnerabilities • Experimental reachability analysis |
| Vuls Features ↗ |
✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | • Agentless SSH-based Linux server scanning • Supports NVD / JVN / OVAL multiple vulnerability databases • Slack and email notification support • Scan results stored locally for historical diffing |
| Clair Features ↗ |
✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | • Designed as an API server for integration into container registries • Used by Quay.io as its core scanner • ClairCore modular matcher architecture • Supports multiple Linux distributions (RHEL, Debian, Ubuntu, Alpine, etc.) |
| Dependency-Check Features ↗ |
❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | • Maven, Gradle, and Ant build tool plugins • Jenkins plugin available • CPE-based NVD matching • HTML / XML / JSON / CSV report generation |