Open-source scanner
HarborGuard vs Trivy
Trivy is an excellent CVE scanner; HarborGuard runs Trivy alongside Grype, Syft, Dockle, OSV, and Dive, dedupes the findings into a single triage queue, and adds patching, SLA tracking, and compliance evidence on top.
Most teams start with Trivy because it's free and effective. The friction shows up later: no triage workflow, no patching, no compliance evidence pack, and no way to compare what Trivy missed against another scanner. HarborGuard bundles Trivy and five peers behind one API and adds the workflow layer Trivy was never meant to provide.
When Trivy wins
- You're a single developer running ad-hoc scans on a laptop.
- You don't need persistent history, triage, or audit logs.
- Your CI just needs an exit code.
When HarborGuard wins
- More than one engineer needs to triage findings.
- You need cross-scanner deduplication (Trivy + Grype + OSV in one finding).
- Auditors are asking for evidence packs (SOC 2, FedRAMP, etc.).
- Patching base images by hand is taking too long.
- You need SLA tracking with breach alerts.
Capability matrix
| Capability | HarborGuard | Trivy |
|---|---|---|
| CVE scanning | Trivy + Grype + OSV-Scanner deduplicated | Trivy only |
| SBOM generation | Syft, exported as CycloneDX or SPDX | Trivy SBOM (more limited ecosystem coverage) |
| Triage workflow | State machine with SLA timers, audit trail | None — output is JSON |
| Patching | Buildah / Copa, automatic for base image CVEs | Manual |
| Compliance evidence | 10+ frameworks (SOC 2, FedRAMP, etc.) | None |
| Notifications | Slack, PagerDuty, email, webhook | Stdout / file |
| Multi-tenant | Yes — orgs, RBAC, SAML/OIDC SSO | No — single binary |
| Self-hosted option | Yes (AGPL-3.0) | Yes (Apache-2.0) |
| Pricing | Free tier; $29-79/user/month for paid | Free |
Frequently asked questions
Does HarborGuard replace Trivy?
No. HarborGuard runs Trivy as one of its bundled scanners. The deduplicated findings always include Trivy attribution so you can see exactly what Trivy reported per finding.
Why use HarborGuard if Trivy is free?
The scanner is the easy part. The hard parts are triage, SLAs, patching, and compliance evidence — none of which Trivy provides. HarborGuard is the workflow layer on top.