Vuls vs Trivy vs Grype: when to pick which CVE scanner I shipped a CVE patch-ops tool last month. The most common feedback from engineers, in order: "Why not just use Vuls?" "Doesn't Trivy already do this?" "Isn't Grype better?" All three are fair. They are all good. Here is the honest comparison I wish someone had handed me before I built mine. Vuls.io — the original self-hosted host scanner Vuls is the closest open-source equivalent to a managed patch-ops product. It's mature (started in 2016), in Go, and it does the same fundamental work: pull advisories from the upstream feeds, snapshot your box's package state, match. Pick Vuls if: You want everything on-prem / air-gapped — no third party sees your inventory. You have at least an afternoon of ops time to wire it up (config server, cron, report exporter, your own alerting). You're comfortable writing your own remediation playbooks. Vuls tells you the package + fixed version; what you do with it is up to you.…