Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy

Docker Image Static Analysis Tools Comparison

In the Software Development Lifecycle (SDLC) and the DevSecOps world, there are different stages of security analysis. One of them involves analyzing how secure the images are which we have chosen for the containers that will run our applications. 

Fortunately, there are many free-to-use tools available to address this and here you have the comparison between three of them that have been showing very good results in my opinion. This investigation was focused on obtaining findings in JSON format to be parsed and compared.

Anchore Engine

Anchore performs a deep inspection of container images to unpack and analyze everything inside. It documents and catalogs all contents helping with vulnerability identification before it reaches production environments.

You can find a docker-compose file and usage instructions here.

Clair

Clair is the most popular open source container static vulnerability analyzer. The clair-scanner has to be built independently.

You can find a docker-compose file and usage instructions here.

Trivy

Trivy analyzes operating system packages and application dependencies, it is easy to install, suitable for CI tools and has high accuracy on Alpine and CentOS (RHEL) based images. It automatically detects and scans dependency files like cargo.lock, composer.lock, Gemfile.lock, package-lock.json, pipfile.lock, and yarn.lock.

You can find installation and usage instructions here.

Vulnerabilities Found

As this docker blog post mentions, the list below includes the current most popular and searched container images. I’m showing the results for each tool and also the number of CVEs found in one tool that are not showing in the others.

Note: Clair couldn’t execute the scan for the busybox image.

Docker Image Static Analysis Tool Comparison

Graphical Comparison

Docker Image Static Analysis Tools Comparison - Group 1

Docker Image Static Analysis Tools Comparison - Group 2

Docker Image Static Analysis Tools Comparison - Group 3

Conclusion

In my opinion, I recommend using trivy because its setup is easy and quick, it obtains almost the same amount of results than Clair (busybox couldn’t be analyzed by this one) and it has big differences in findings compared to Anchore.