Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc
ThreatMapper is a cloud native application protection platform and infrastructure security scanner. It functions as a vulnerability management system and cloud workload telemetry collector designed to monitor workloads and detect security risks across cloud and container environments. The platform distinguishes itself through a network traffic visualizer that uses machine learning to classify communication patterns and a graph-based attack mapping system to identify high-risk paths between vulnerabilities and network dependencies. Its broader capabilities cover cloud infrastructure complianc
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Clair is a container image vulnerability scanner and security analyzer. It performs static analysis of container images by matching package contents against vulnerability databases to identify security risks across different package formats and architectures. The project functions as both an image indexer and a vulnerability database manager. It processes container layers into intermediate representations to enable fast security lookups and synchronizes security metadata from multiple external sources to maintain a local registry. Capability areas include continuous security monitoring, whic