vuls.io
Mature OSS scanner, agentless or agent-based, OS-package focused.
Price: Free, OSS (GPL-3.0)
Back to StackPatch
Linux CVE scanners compared
vuls.io · Trivy · Grype · Snyk · StackPatch
Five tools, one decision. This is the page we'd want to read before paying us anything. We list our competitors first, link to their docs, and tell you when each one is the right call. Long-form side-by-sides for each are linked below.
The 30-second take
One line per scanner. Skip to the matching scenario below if you already know your constraint.
OSS
Trivy
Aqua's OSS scanner — strongest at containers, IaC, and Kubernetes.
Price: Free, OSS (Apache-2.0)
Grype
Anchore's OSS scanner, file/SBOM-first.
Price: Free, OSS (Apache-2.0)
Snyk
Enterprise dev-time + container + IaC security, per-developer pricing.
Price: Free tier (limited); Team $25/dev/mo; Enterprise custom
StackPatch
Hosted CVE patch ops for live Linux VPSes — install in 5 sec, alerts by default.
Price: $99 lifetime founder seat (3 servers); monthly tiers $19+
Pick by scenario
Find the row that matches your constraint. The right call usually pops out from one sentence about your situation.
If you...
Pick
Why
I run 1–10 Linux VPSes and want hourly scan + alerts without engineering work
curl scan.sh | bash, install.sh adds the cron + agent, audit URL by default.
I have engineering time and want a self-hosted OSS scanner I can extend
Mature, well-documented, 10K+ GitHub stars, agentless or agent-based.
I build container images and want to fail CI on vulnerable layers
Best-in-class container + IaC + Kubernetes scanning. Free, easy CI integration.
My pipeline already produces SBOMs (via Syft) and I want CVE scanning bolted on
SBOM-first design, Anchore stack, drops in next to Syft.
I have a security team and a budget and want one platform for dev + container + IaC
Enterprise-grade, deep IDE/CI integrations, per-developer pricing reflects target buyer.
I'm allergic to SaaS — I want a scanner I can read and audit line-by-line
All three are OSS. Source code on GitHub. Run them locally without phoning home.
StackPatch vs vuls.io
Best for: Engineering team that wants a self-hosted scanner and time to wire alerting + cron themselves.
Not for: Solo founder who wants the answer in 5 minutes and a public audit URL by default.
Read the long comparisonStackPatch vs Trivy
Best for: Teams that ship container images and want to fail CI on vulnerable layers.
Not for: A solo founder whose problem is keeping a live VPS patched.
Read the long comparisonStackPatch vs Grype
Best for: Pipelines that already produce SBOMs (via Syft) and want CVE scanning bolted on.
Not for: Anyone who hasn't already standardized on SBOM-driven workflows.
Read the long comparisonStackPatch vs Snyk
Best for: Series A+ teams with a real security org, dev-time scanning needs, and budget.
Not for: A 1-person SaaS shop running 1–10 Linux servers.
Read the long comparisonTry the free quickscan before paying anyone — including us.
Reads only your distro / kernel / package list. Source rendered as plain text so you can read before piping. No account, no card, no email gate.