KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// facet: container

Container vulnerability scanners: build / registry / runtime

Container image scanners across build, registry, and runtime stages. Per-developer, per-image, and quote-only pricing models.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What is a container vulnerability scanner?

A container vulnerability scanner inspects container images for CVEs in OS packages and application dependencies, IaC misconfigurations, exposed secrets, and (increasingly) malicious package signatures. Trivy is the open-source default; Snyk Container leads developer-led; Wiz leads CNAPP-led.
// filter ::
asset
deployment
scan-type
compliance
price-band
license
Tenable Vulnerability Management (Tenable.io)

Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentlesshybrid
AMBER
$3,500 / year for 100 assets (~$35/asset/yr)
pci-asvfedrampsoc2hipaaiso27001free tier
Qualys VMDR

Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentless
QUOTE
Quote only; partner-reported ~$199 per asset per year
pci-asvfedrampsoc2hipaaiso27001free tier
Wiz

Agentless CNAPP. Graph-based risk, big in cloud-native shops. Anchors on workloads not assets.

verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $70k-$120k for ~500-workload mid-market estate
soc2fedramphipaaiso27001free tier
Orca Security

SideScanning agentless CNAPP. Often discounted aggressively against Wiz in head-to-heads.

verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $50k-$100k for ~500-workload estate
soc2fedramphipaaiso27001free tier
Snyk

Per-developer SCA + SAST + Container + IaC. Free tier is genuinely usable.

verified 2026-06-25 · vendor page
codecontaineriac
saas
PHOSPHOR
Free up to caps; Team starts at $25/dev/mo
soc2iso27001hipaafree tier
Trivy

De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.

verified 2026-06-25 · vendor page
containercodeiac
self-hosted
FREE / OSS
Free (Apache 2.0). Aqua Enterprise quote-only.
soc2free tier
[ 6 of 15 scanners shown ] · row prices verified against vendor pages on the date stamped above.

Build vs registry vs runtime

Build-time scans (Trivy in CI) gate bad images at the door. Registry scans (Snyk, Wiz, Aqua) catch images that bypassed CI. Runtime scans (Wiz Runtime Sensor) detect drift in deployed containers. Mature shops run all three layers.

// faq

FAQ

  • Is Trivy enough?
    For build-time CI gating, yes. For runtime drift detection in production Kubernetes, no; pair with Wiz or Snyk.
  • What does Snyk Container add over Trivy?
    Application-layer dependency analysis with fix-PR generation, centralised policy, and reachability analysis for prioritisation.
  • Does Wiz cover containers?
    Yes, both via image scanning and runtime sensor. It is part of the CNAPP bundle, not a separate SKU at list.
  • How do you detect malicious packages?
    Snyk and Aqua both ship malicious-package detection; Trivy detects known-bad packages from vulnerability databases but does not run heuristic malware analysis.
  • What about admission control?
    Kubernetes admission control (gating bad images at deploy) needs policy enforcement. Trivy Operator + OPA / Kyverno is the OSS path; Wiz / Snyk / Aqua ship integrated admission controllers.
Related: Trivy Snyk SCA vs container scanner