OpenVAS vs Trivy vs Grype: Best Self-Hosted Vulnerability Scanners 2026

If you run servers, containers, or any production infrastructure, knowing which vulnerabilities exist in your stack before attackers do is not optional — it is foundational. Commercial vulnerability management platforms charge per-asset licensing fees that quickly become prohibitive at scale, and they require sending sensitive inventory data to third-party cloud services. Modern open-source vulnerability scanners eliminate both problems: they run entirely on your own hardware, keep all data local, and provide enterprise-grade detection at zero licensing cost.

This guide compares the three leading open-source vulnerability scanning tools: OpenVAS (Greenbone Vulnerability Management), Trivy by Aqua Security, and Grype by Anchore. We will cover detection methodologies, supported scan targets, performance characteristics, and practical docker-based deployments so you can build a complete vulnerability management pipeline on your own infrastructure.

Why Self-Host Your Vulnerability Scanning

Running vulnerability scanners on your own infrastructure delivers advantages that managed SaaS platforms cannot replicate.

Complete data sovereignty. Your asset inventory, scan results, and vulnerability reports never leave your network. This matters for regulated industries where sending internal host metadata to external services violates compliance requirements.

No per-asset licensing. Commercial platforms typically charge $5 to $30 per scanned asset per month. Self-hosted tools cost nothing beyond the hardware they run on, making it economically feasible to scan every container, VM, and bare-metal host you operate.

Unlimited scanning frequency. SaaS platforms throttle scan rates or charge extra for continuous monitoring. When you own the scanner, you can run full assessments daily, hourly, or on every CI/CD pipeline run without incremental costs.

Offline scanning capability. Air-gapped networks, classified environments, and isolated development clusters require scanning tools that work without internet connectivity. Self-hosted scanners with locally cached vulnerability databases handle this natively.

Customizable detection logic. Open-source scanners let you write custom detection plugins, adjust severity thresholds, and integrate with your existing ticketing and alerting systems without waiting for vendor feature roadmaps.

Full integration control. Hook scan results into your SIEM, Slack, PagerDuty, or custom dashboards using APIs and output formats you control, rather than being limited to the integrations a vendor chose to build.

Quick Comparison Table

OpenVAS (Greenbone): The Enterprise-Grade Network Scanner

OpenVAS, now branded as Greenbone Community Edition, is the most comprehensive open-source vulnerability scanner available. It performs authenticated and unauthenticated network scans against live hosts, checking for thousands of known vulnerabilities across operating systems, network services, and web applications.

Key Strengths

• Network-level scanning: Unlike Trivy and Grype, OpenVAS actively probes network hosts to discover running services, open ports, and misconfigurations. It can detect vulnerabilities in services without needing access to the host filesystem.
• Massive detection coverage: The Greenbone NVT (Network Vulnerability Tests) feed contains over 70,000 individual detection plugins, covering everything from CVE-mapped vulnerabilities to configuration weaknesses and compliance violations.
• Authenticated scanning: When provided with SSH or SMB credentials, OpenVAS performs deep host inspections — checking installed package versions, patch levels, registry settings, and local configurations that unauthenticated network scans cannot detect.
• Compliance auditing: Built-in scan configs for CIS benchmarks, IT-Grundschutz, and other compliance frameworks let you audit systems against industry standards.
• Web interface: The Greenbone Security Assistant provides a full web UI for managing scan targets, scheduling assessments, reviewing results, and generating reports in PDF, HTML, or XML formats.

When to Choose OpenVAS

Select OpenVAS when you need comprehensive network-level vulnerability assessment, compliance auditing, or a centralized scanning platform that can evaluate entire subnets without requiring agent installation on every host. It is ideal for security teams performing periodic penetration testing support and infrastructure audits.

Docker Deployment

OpenVAS runs as a multi-service stack. The all-in-one Docker image bundles the scanner, manager, database, and web interface into a single deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# Create persistent storage directories
mkdir -p /opt/openvas/data /opt/openvas/lib

# Deploy the Greenbone Community Edition container
docker run -d \
  --name openvas \
  -p 80:80 \
  -p 443:443 \
  -v /opt/openvas/data:/var/lib/openvas/mgr \
  -v /opt/openvas/lib:/var/lib/openvas/plugins \
  -e PASSWORD="YourSecureAdminPassword123" \
  --restart unless-stopped \
  greenbone/community-edition:latest

After the container starts, the first launch will download and compile the full NVT feed, which can take 15 to 30 minutes depending on your network speed. Access the web interface at https://your-server-ip and log in with admin and the password set above.

Docker Compose for Production

For production deployments, separate the services for better resource management and backup strategies:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

version: "3.8"

services:
  openvas-scanner:
    image: greenbone/scanner:stable
    container_name: openvas-scanner
    restart: unless-stopped
    volumes:
      - scanner-data:/var/lib/openvas
      - nvt-data:/var/lib/openvas/plugins
    environment:
      - SCANNER_HOST=0.0.0.0
    networks:
      - openvas-net

  openvas-manager:
    image: greenbone/manager:stable
    container_name: openvas-manager
    restart: unless-stopped
    depends_on:
      - openvas-scanner
      - openvas-db
    volumes:
      - manager-data:/var/lib/openvas/mgr
      - nvt-data:/var/lib/openvas/plugins
    ports:
      - "9390:9390"
    environment:
      - MANAGER_HOST=0.0.0.0
      - DB_HOST=openvas-db
    networks:
      - openvas-net

  openvas-db:
    image: postgres:15
    container_name: openvas-db
    restart: unless-stopped
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=db_secure_password
      - POSTGRES_USER=gvm
    networks:
      - openvas-net

  openvas-web:
    image: greenbone/web:stable
    container_name: openvas-web
    restart: unless-stopped
    depends_on:
      - openvas-manager
    ports:
      - "80:80"
      - "443:443"
    environment:
      - GSA_HOST=0.0.0.0
      - GSA_MANAGER_HOST=openvas-manager
    networks:
      - openvas-net

volumes:
  scanner-data:
  manager-data:
  nvt-data:
  db-data:

networks:
  openvas-net:
    driver: bridge

Scheduling Automated Scans

Use the OpenVAS Python API (python-gvm) to automate recurring scans:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

from gvm.connections import TLSConnection
from gvm.protocols.gmp import Gmp
from gvm.transforms import EtreeTransform

connection = TLSConnection(hostname='localhost', port=9390)
transform = EtreeTransform()

with Gmp(connection, transform=transform) as gmp:
    gmp.authenticate('admin', 'YourSecureAdminPassword123')

    # Create a scan task
    task = gmp.create_container_task(
        name='Weekly Network Scan',
        config_id='daba56c8-73ec-11df-a475-002264764cea',  # Full and Fast
        target_id='your-target-id',
        scanner_id='08b69003-5fc2-4037-a479-93b440211c73'  # OpenVAS Default
    )

    # Start the scan
    gmp.start_task(task['id'])
    print(f'Scan started: {task["id"]}')

Trivy: The All-in-One Security Scanner

Trivy has become the go-to vulnerability scanner for container-centric development workflows. Unlike OpenVAS, it does not perform network scanning — instead, it analyzes container images, filesystems, infrastructure-as-code configurations, and git repositories for known vulnerabilities and misconfigurations.

Key Strengths

• Multi-target scanning: Trivy handles container images, local filesystems, IaC files (Terraform, Kubernetes manifests, Dockerfiles, CloudFormation, Helm charts), and git repositories with a single command.
• Speed: Built in Go with optimized database caching, Trivy typically scans a container image in 10 to 30 seconds — fast enough to embed in every CI/CD pipeline step.
• IaC misconfiguration detection: Beyond CVE matching, Trivy identifies security misconfigurations in infrastructure code — overly permissive IAM roles, exposed S3 buckets, missing security group rules, and containers running as root.
• SBOM generation: Trivy can generate Software Bill of Materials in CycloneDX and SPDX formats, which is increasingly required for supply chain compliance.
• Zero configuration: Trivy works out of the box with no setup. Install the binary and run it against any target — it auto-downloads the latest vulnerability database on first use.

When to Choose Trivy

Select Trivy when your primary concern is container and infrastructure-as-code security within development pipelines. It is the best choice for teams practicing GitOps, running Kubernetes, or needing fast scan feedback in CI/CD workflows.

Installation

1
2
3
4
5
6
7
8

# Install via official installer script (Linux)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

# Or install via Homebrew (macOS)
brew install aquasecurity/trivy/trivy

# Or pull the Docker image
docker pull aquasec/trivy:latest

Docker-Based Scanning

Scan a container image for vulnerabilities using the Trivy container:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Scan an image and display results in table format
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $HOME/.cache/trivy:/root/.cache/ \
  aquasec/trivy:latest image[nginx](https://nginx.org/)--severity HIGH,CRITICAL \
  --format table \
  nginx:latest

# Scan a local Dockerfile for misconfigurations
docker run --rm \
  -v $(pwd):/workspace \
  -w /workspace \
  aquasec/trivy:latest config \
  --severity HIGH,CRITICAL \
  Dockerfile

# Scan a Terraform configuration
docker run --rm \
  -v $(pwd)/terraform:/workspace \
  -w /workspace \
  aquasec/trivy:latest config \
  --severity HIGH,CRITICAL \
  .

CI/CD Pipeline Integration

Add Trivy as a blocking step in your GitHub Actions workflow:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

Generating SBOMs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Generate CycloneDX SBOM for a container image
trivy image --format cyclonedx --output sbom.json nginx:latest

# Generate SPDX SBOM for a filesystem directory
trivy fs --format spdx --output sbom.spdx /path/to/project

# Generate SBOM and scan for vulnerabilities simultaneously
trivy image --format cyclonedx --output sbom.json \
  --scanners vuln,secret,config \
  myapp:latest

Grype: The Container Image Specialist

Grype, developed by Anchore, is a focused vulnerability scanner for container images and filesystems. It excels at matching installed packages against vulnerability databases and integrates tightly with Syft (Anchore’s SBOM generator) for supply chain security workflows.

Key Strengths

• Precision matching: Grype uses multiple matchers — direct package matching, indirect dependencies, binary-to-source mapping, and language ecosystem-specific matching — to minimize false positives.
• Anchore ecosystem integration: Works seamlessly with Syft for SBOM generation, Anchore Enterprise for policy management, and the Anchore CLI for local policy evaluation.
• Offline-first design: Grype’s vulnerability database can be fully cached for air-gapped environments. Once downloaded, scans run without any network connectivity.
• Policy-based gating: Define policies that fail builds when vulnerabilities exceed specified severity thresholds or affect critical application components.
• Lightweight footprint: As a single Go binary, Grypy installs in seconds and consumes minimal resources during scans.

When to Choose Grype

Select Grype when you need precise container image scanning with strong SBOM integration, policy-based build gating, or operate in air-gapped environments that require fully offline vulnerability databases.

Installation

1
2
3
4
5
6
7
8

# Install via official script (Linux/macOS)
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Or install via Homebrew
brew install grype

# Or pull the Docker image
docker pull anchore/grype:latest

Docker-Based Scanning

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

# Scan a Docker image directly
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  anchore/grype:latest \
  nginx:latest

# Scan with specific severity threshold (exit code 1 if found)
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  anchore/grype:latest \
  --fail-on high \
  myapp:1.0.0

# Scan a local filesystem directory
docker run --rm \
  -v $(pwd):/scan:ro \
  anchore/grype:latest \
  dir:/scan

# Scan from a Tar archive (useful for registry-pulled images)
docker save myapp:latest | docker run --rm -i anchore/grype:latest

SBOM Generation and Scanning Pipeline

Grype pairs with Syft for a complete supply chain security workflow:

1
2
3
4
5
6
7
8

# Step 1: Generate SBOM with Syft
syft packages nginx:latest -o json > nginx-sbom.json

# Step 2: Scan the SBOM for vulnerabilities
grype sbom:./nginx-sbom.json --output table

# Step 3: Generate a vulnerability report in CycloneDX format
grype sbom:./nginx-sbom.json --output cyclonedx-json > vulnerability-report.json

GitHub Actions Integration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

name: Container Security

on:
  push:
    branches: [main]

jobs:
  grype-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Grype scanner
        uses: anchore/scan-action@v3
        with:
          image: 'myapp:${{ github.sha }}'
          fail-build: true
          severity-cutoff: high
          output-format: table

      - name: Generate SBOM
        uses: anchore/sbom-action@v0
        with:
          image: 'myapp:${{ github.sha }}'
          format: cyclonedx-json
          output-file: sbom.json

      - name: Upload SBOM artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

Running All Three Together: A Complete Vulnerability Management Architecture

The most effective self-hosted security posture does not choose one tool — it layers them. Each scanner covers gaps the others leave open.

Recommended Architecture

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

                    ┌─────────────────┐
                    │   CI/CD Pipeline │
                    └────────┬────────┘
                             │
              ┌──────────────┼──────────────┐
              ▼              ▼              ▼
        ┌──────────┐  ┌──────────┐  ┌──────────┐
        │  Trivy   │  │  Grype   │  │  OpenVAS │
        │ (Images) │  │ (Images) │  │ (Network)│
        └────┬─────┘  └────┬─────┘  └────┬─────┘
             │              │              │
             ▼              ▼              ▼
        ┌─────────────────────────────────────────┐
        │         Central Results Store           │
        │  (JSON/SARIF reports → Elasticsearch    │
        │   or PostgreSQL for aggregation)         │
        └─────────────────────┬───────────────────┘
                              │
                              ▼
                    ┌──────────────────┐
                    │  Alerting Layer   │
                    │ (Slack, Email,    │
                    │  PagerDuty)       │
                    └──────────────────┘

Unified Docker Compose Stack

Deploy all three scanners on a single security assessment host:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

version: "3.8"

services:
  trivy:
    image: aquasec/trivy:latest
    container_name: trivy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - trivy-cache:/root/.cache/
      - ./scans:/workspace
    command: ["--cache-dir", "/root/.cache/"]
    profiles: ["on-demand"]

  grype:
    image: anchore/grype:latest
    container_name: grype
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./scans:/workspace
    profiles: ["on-demand"]

  openvas:
    image: greenbone/community-edition:latest
    container_name: openvas
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - openvas-data:/var/lib/openvas/mgr
      - openvas-plugins:/var/lib/openvas/plugins
    environment:
      - PASSWORD=ChangeMeInProduction
    profiles: ["continuous"]

  results-db:
    image: postgres:15
    container_name: results-db
    restart: unless-stopped
    volumes:
      - pg-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=vuln_reports
      - POSTGRES_USER=vuln_user
      - POSTGRES_PASSWORD=secure_db_password
    profiles: ["continuous"]

volumes:
  trivy-cache:
  openvas-data:
  openvas-plugins:
  pg-data:

Automated Weekly Scan Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

#!/bin/bash
# weekly-vuln-scan.sh — Run on a cron schedule every Sunday at 02:00

IMAGES=("nginx:latest" "postgres:15" "myapp:latest")
SCAN_DIR="/opt/scans/$(date +%Y-%m-%d)"
mkdir -p "$SCAN_DIR"

echo "=== Weekly Vulnerability Scan ==="
echo "Date: $(date)"
echo "Scan directory: $SCAN_DIR"
echo ""

# Trivy scan for all configured images
echo "--- Trivy: Image Scans ---"
for image in "${IMAGES[@]}"; do
  echo "Scanning: $image"
  docker run --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v "$SCAN_DIR:/output" \
    aquasec/trivy:latest image \
    --severity HIGH,CRITICAL \
    --format sarif \
    --output "/output/trivy-${image//:/_}.sarif" \
    "$image"
done

# Grype scan for all configured images
echo ""
echo "--- Grype: Image Scans ---"
for image in "${IMAGES[@]}"; do
  echo "Scanning: $image"
  docker run --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \
    anchore/grype:latest \
    --output sarif \
    "$image" > "$SCAN_DIR/grype-${image//:/_}.sarif"
done

# OpenVAS: trigger via API (requires python-gvm)
echo ""
echo "--- OpenVAS: Network Scan ---"
python3 /opt/scripts/trigger-openvas-scan.py

echo ""
echo "Scan complete. Results stored in: $SCAN_DIR"

Add this to your crontab for automated weekly execution:

1
2

# Weekly vulnerability scan every Sunday at 02:00 UTC
0 2 * * 0 /opt/scripts/weekly-vuln-scan.sh >> /var/log/vuln-scan.log 2>&1

Decision Framework: Which Scanner Fits Your Needs

Your choice depends on what you need to protect and where scanning fits into your workflow.

Choose OpenVAS (Greenbone) if:

• You need network-level vulnerability assessment across entire subnets
• You require authenticated scanning of operating systems and services
• You want a web-based management interface with scheduling and reporting
• You need compliance audit scans against CIS or other frameworks
• You perform periodic security assessments and penetration testing support

Choose Trivy if:

• Your primary assets are container images and Kubernetes deployments
• You want IaC misconfiguration scanning alongside CVE detection
• You need fast scans (under 30 seconds) embedded in CI/CD pipelines
• You require SBOM generation for supply chain compliance
• You want a single tool that covers images, filesystems, configs, and repos

Choose Grype if:

• You need precise container image scanning with minimal false positives
• You already use Syft for SBOM generation and want tight integration
• You operate air-gapped environments requiring fully offline scanning
• You want policy-based build gating with Anchore ecosystem tools
• You prefer a focused, single-purpose scanner over a multi-tool platform

Use all three if:

• You run a mature security program and need defense-in-depth coverage
• You want to cross-validate findings between different detection engines
• You need both network-level assessment (OpenVAS) and image-level scanning (Trivy/Grype)
• Your compliance requirements mandate multiple independent assessment methods

Conclusion

Self-hosted vulnerability scanning has reached a point where open-source tools match or exceed commercial platforms for most use cases. OpenVAS provides unmatched network-level coverage with its 70,000+ detection plugins. Trivy delivers the fastest multi-target scanning with built-in IaC analysis and SBOM generation. Grype offers precise container image scanning with strong supply chain integration.

The combination of these three tools — running entirely on your own infrastructure with no per-asset licensing — gives you a vulnerability management capability that rivals enterprise platforms costing tens of thousands of dollars per year. Start with the scanner that matches your most pressing need, then expand to cover the gaps as your security program matures.

Frequently Asked Questions (FAQ)

Which one should I choose in 2026?

The best choice depends on your specific requirements:

• For beginners: Start with the simplest option that covers your core use case
• For production: Choose the solution with the most active community and documentation
• For teams: Look for collaboration features and user management
• For privacy: Prefer fully open-source, self-hosted options with no telemetry

Refer to the comparison table above for detailed feature breakdowns.

Can I migrate between these tools?

Most tools support data import/export. Always:

1. Backup your current data
2. Test the migration on a staging environment
3. Check official migration guides in the documentation

Are there free versions available?

All tools in this guide offer free, open-source editions. Some also provide paid plans with additional features, priority support, or managed hosting.

How do I get started?

1. Review the comparison table to identify your requirements
2. Visit the official documentation (links provided above)
3. Start with a Docker Compose setup for easy testing
4. Join the community forums for troubleshooting