COMPARISON · TRIVY · 2026-07-13

    Gadriel vs. Trivy: Vulnerable Ingredients vs. the Whole Kitchen

    Trivy is the best-in-class dependency, container, and secret scanner in this benchmark — and it is structurally not a SAST tool. Gadriel finds the vulnerable ingredients AND the vulnerable own code in one local pass.

    Gadriel vs. Trivy: Vulnerable Ingredients vs. the Whole Kitchen
    COMPARISON · TRIVY·2026-07-13·11 MIN READ

    CISO NOTE

    CISO note — the Gadriel differentiator. Trivy is the best-in-class scanner for ingredients — dependencies, containers, secrets. It is structurally not a SAST tool. Gadriel finds the vulnerable ingredients and the vulnerable own code that uses them — taint-flow SAST + SCA (live OSV) + secrets + container + IaC/config + API + AI/LLM, in a single local, deterministic pass, with SBOM + 10-framework compliance. One command answers both "is the dependency poisoned?" and "is our code that calls it actually reachable?".

    The short version

    Trivy is the best-in-class dependency and artifact scanner in this benchmark, and we want to say that plainly up front. Point it at an app's open-source libraries, container images, IaC, and committed secrets and it is fast, light, free, and thorough. On the repos where the real danger lives in the dependencies — dvja's ancient Struts2 remote-code-execution family and Log4Shell, NodeGoat's large npm CVE surface — Trivy is the leader, and Gadriel does not out-scan it there. If your question is "which of my ingredients are known to be poisoned?", Trivy answers it better than anything else here.

    But that is the whole point of the comparison, because Trivy is structurally not a SAST tool. It never reads the source code your own team writes. It cannot see a SQL injection, a command injection, an XSS hole, or an eval() you introduced — because those bugs are not in a CVE database, they are in your code. Gadriel finds the vulnerable ingredients (SCA, containers, secrets, config) and the vulnerable own code (SAST) in one local pass, checks AI/LLM risks, and produces compliance reports and an SBOM. So the two tools are not competing for the same square: Trivy is the deeper dependency/container specialist; Gadriel is the broader single tool that also covers Trivy's axis reasonably well.


    TIP

    Read Trivy as the ingredient scanner and Gadriel as the whole-kitchen scanner. Trivy is outstanding at dependencies, containers, and secrets — genuinely best-in-class here. It just isn't a SAST tool. That framing makes the tables below click.

    What we tested

    Six deliberately-vulnerable "goat" applications across five languages. A goat app is stuffed with known, exploitable bugs, so the ground truth is fixed in advance and we can check exactly what each tool catches and misses. Every scan was a first-time run on a repo Gadriel was never trained or tuned on, measured on the same machine in July 2026. Tools: Gadriel 1.2.1, Trivy 0.72.0.

    RepoLanguage / stackWhere its danger lives
    pygoatPython / DjangoOwn-code RCE, pickle, yaml, cmd-injection, SQLi — plus vulnerable libs
    django.nVPython / Django 1.8.3Own-code SQLi + hardcoded secret — plus 21 old-Django CVEs
    vulpyPython / FlaskOwn-code SQLi only (no pinned deps, no container)
    govwaGo / MySQLOwn-code SQLi + weak crypto — thin dependency side
    dvjaJava / Spring / Struts2 / MavenDependencies (Struts2 RCE, Log4Shell) — Trivy's home turf
    NodeGoatJavaScript / Express / Mongoeval RCE + committed key — plus a big npm CVE surface

    How Gadriel works: one local pass

    Gadriel runs one local pass over the repo and covers seven dimensions at once — SAST (your own code), SCA (dependencies), secrets, container/Dockerfile, config/IaC, API surface, and AI/LLM risks — then rolls them into a gating score and emits reports, an SBOM, and compliance output. That single default pass is the whole story here. Gadriel also ships an optional AI verification stage (Tier-2, off by default) that can adversarially re-check gating SAST findings; it is a bonus, not the basis of this comparison.

    flowchart LR
      R[Repo / source tree] --> P[Single local pass]
      P --> SAST[SAST — own code]
      P --> SCA[SCA — dependencies]
      P --> SEC[Secrets]
      P --> CON[Container / Dockerfile]
      P --> CFG[Config / IaC]
      P --> API[API surface]
      P --> AI[AI / LLM risks]
      SAST --> G[Gating findings + score]
      SCA --> G
      SEC --> G
      CON --> G
      CFG --> G
      API --> G
      AI --> G
      G --> OUT[Reports + SBOM + compliance]
      G -.-> T2[Tier-2 optional — host-LLM verification, off by default]
      T2 -.-> OUT
    DIAGRAM

    Tool-coverage matrix

    Read the dependency, container, and IaC rows first: Trivy leads dependencies and the other artifact axes, and Gadriel does not out-scan it there. Gadriel's differentiator is the own-code and AI/compliance rows Trivy cannot cover at all.

    CapabilityGadriel (default)Gadriel + Tier-2Trivy
    SAST / own-code injection❌ (reads no source)
    SCA (deps / CVE)LEADS — deeper & fresher
    Secrets
    Container / IaCLEADS
    Config or AI-runtime✅ (misconfig)
    API (OpenAPI)
    AI / LLM risk (OWASP LLM Top 10)
    Access-control / IDOR / broken-authz~ structural gap✅ advisory (semantic hunt)❌ (reads no source)
    Self-verification (AI pass)— (optional)✅ BYO-LLM (your Claude / GPT / local Ollama)
    Local / offline
    SBOM⚠️ partial
    One command, one pass

    Cross-repo scoreboard (measured)

    Gadriel figures are the fresh July 2026 re-run. Trivy figures are from the same battery. Read the two "findings" columns as different axes: Trivy's big numbers are almost entirely dependency CVEs (its strength), which is not the same thing as own-code SAST.

    The Gadriel Tier-2 (optional, verified) column is off-by-default AI self-verification (--tier2) that re-checks Gadriel's gating-eligible SAST findings; Trivy has no own-code findings to verify, so the column is Gadriel-only. All 19 gating-eligible findings across the six repos were confirmed (0 refuted).

    RepoGadriel timeGadriel findings (verdict)Gadriel Tier-2 (optional, verified)Trivy findings (mostly dep CVEs / container)Honest read
    pygoat (Python)~3.7s38 — sast 18, container 10, secrets 5, sca 3, config 1 (FAIL 4.87)6/6 confirmed130+ dep CVEs, 2 secrets, 8 containerTrivy owns the huge dep list; Gadriel owns the 18 own-code bugs Trivy can't see
    django.nV (Python)~14.4s12 — sast 7, sca 2, secrets 1 (PARTIAL 6.83)5/5 confirmed21 dep CVEs (Django 1.8.3), 0 secrets, 0 misconfigTrivy fast on the old-Django CVEs; Gadriel adds SQLi + hardcoded secret in code
    vulpy (Python)~2.5s5 — sast 4 (PARTIAL 8.00)2/2 confirmed0 (no pinned versions, no container)Nothing for Trivy to match; all danger is own-code SQLi — Gadriel's alone
    govwa (Go)~3.0s11 — sast 3, container 4, sca 2, config 1 (PARTIAL 6.97)3/3 confirmed8 dep CVEs, 0 secrets, 2 containerThin, medium-severity dep side; the real bug is Go SQLi in code (Gadriel)
    dvja (Java)~5.3s15 — container 10, sca 3, sast 1 (PARTIAL 7.26)1/1 confirmed33 dep CVEs (Struts2 RCE + Log4Shell), 6 misconfigTrivy wins this app on dependency depth; Gadriel's Java SAST is weak (1 bug)
    NodeGoat (JS)~5.2s14 — container 5, sast 4, sca 3, secrets 2 (PARTIAL 6.06)2/2 confirmed76 dep CVEs, 1 secret, 1 misconfigTrivy leads the npm CVE surface; Gadriel catches the eval RCE Trivy can't

    Gadriel's counts are its default one-pass output. The distinction that matters: a large Trivy number means a large dependency-CVE surface, not own-code depth. Those are different questions.

    Optional: Gadriel Tier-2 (bring-your-own-LLM)

    Tier-2 is Gadriel's optional AI stage — enabled with the --tier2 flag (also GADRIEL_TIER2 env / [tier2].enabled config), off by default. Its distinguishing property is bring-your-own-LLM: it borrows the host agent's already-running model (Claude in Claude Code, GPT in Cursor, or a local Ollama model), so Gadriel makes no API call of its own — no vendor model to buy, no code egress, no second bill, works air-gapped. It runs two passes: VERIFY, which adversarially re-checks Tier-1's gating SAST findings (this round 19/19 confirmed, 0 refuted), and HUNT, which semantically reads the source for the vuln classes deterministic taint rules structurally miss — IDOR, missing/broken authorization, forgeable-token auth — and surfaces them as advisory, non-gating findings for review (+25 this round). These adds are flagged for a human, never used to gate or fail a build. Tier-2 is a bonus stage, not the basis of this Gadriel-vs-Trivy comparison — which is about own-code SAST breadth versus dependency depth — but its own-code effect is measurable:

    RepoTier-1 gating SAST+Tier-2 VERIFY+Tier-2 HUNT (advisory)Own-code total
    pygoat (Python)186/6 ✓+422
    django.nV (Python)75/5 ✓+411
    vulpy (Python)42/2 ✓+48
    govwa (Go)33/3 ✓+47
    dvja (Java)11/1 ✓+45
    NodeGoat (JS)42/2 ✓+59
    Total3719/19 confirmed+25 advisory62

    The HUNT adds are all in the access-control family — IDOR / broken-object-authz (CWE-639), missing function-level authz (CWE-862), missing authentication (CWE-306), forgeable/unsigned-token auth — plus injection/traversal on the SAST-thin Java repo. These are structurally invisible to rule-based taint analysis: the bug is a missing check, not a tainted data-flow to a sink. Note the standout on dvja, where Tier-1 alone found just 1 SAST bug: Tier-2 surfaced the critical PingAction command injection, a product IDOR, a forgeable admin-cookie, and a forgeable reset-token (account-takeover chain).


    Repo by repo

    pygoat (Python / Django)

    Trivy did excellent supply-chain work: more than 130 known library vulnerabilities, including three separate command-execution flaws in an old PyYAML, plus 2 leaked secrets and 8 container/Dockerfile misconfigurations. That is real, useful output and the strongest dependency haul short of dvja.

    Gadriel produced 18 own-code SAST findings Trivy structurally cannot — many L3-critical: RCE, command injection, SQL injection, unsafe pickle, unsafe yaml loading, eval. It also did the ingredient work in the same pass (container 10, secrets 5, SCA 3, config 1), overlapping Trivy's turf. Note the easy misread in Trivy's output: titles like "Django SQL injection" are flaws in the framework (fixed by upgrading Django), not the SQL injection written into pygoat's own code. This is Gadriel's strongest repo (FAIL 4.87, correctly damning).

    django.nV (Python / Django 1.8.3)

    Trivy flagged 21 known CVEs in the end-of-life Django 1.8.3 framework straight from requirements.txt, in about a second — genuinely faster than Gadriel here, and exactly the housekeeping it is built for. Its secret and misconfig scanners returned zero on this repo (no Dockerfile; it did not flag the hardcoded SECRET_KEY).

    Gadriel added 7 SAST findings — including two critical SQL-injection sites (CODE-W1-L3-014 and L3-017) — plus the hardcoded SECRET_KEY and insecure config (pickle serializer, MD5), and it re-flagged the vulnerable Django via SCA. Trivy tells you the library is old; Gadriel tells you the code is injectable. Both are true; only Gadriel says both.

    vulpy (Python / Flask)

    Trivy found nothing here — zero libs, zero secrets, zero misconfig — and that is an honest reflection of the app, not a failure: vulpy pins no dependency versions to match against a CVE database and ships no container. Its job simply had nothing to bite on.

    Gadriel found the danger, which lives entirely in hand-written code: 4 SAST findings including a critical formatted-SQL injection (CODE-W1-L3-014, Gadriel's Python formatted-SQL-injection detector firing live) plus debug=True and auth-over-HTTP. Because vulpy ships a hardened good/ tree beside the vulnerable bad/ one, this is also a precision test: Gadriel fired only on request-reachable injectable queries and stayed fully silent on the parameterized rewrites — zero findings inside the hardened good/ tree. Highest Gadriel score in the set (8.00).

    govwa (Go / MySQL)

    Trivy flagged 8 known CVEs across common Go modules (gin, golang.org/x/text, golang.org/x/sys) and 2 container misconfigurations — competent, but mostly medium severity and none of them the bug that gets govwa breached. This is a source-code story, not a dependency story.

    Gadriel caught what matters: 3 SAST findings, headlined by a critical Go formatted-SQL injection (CODE-W1-L2-002) — Gadriel's Go formatted-SQL-injection detector now firing live — plus a second SQLi path and MD5 weak hashing (CODE-W1-L1-313). It also ran SCA (2) and container (4) in the same pass, overlapping Trivy's lane.

    dvja (Java / Spring / Struts2 / Maven)

    This is Trivy's app, and it is the standout performer. It found 33 known dependency vulnerabilities — the Apache Struts remote-code-execution family (CVE-2017-5638, the Equifax-class flaw, and more) and Log4Shell (CVE-2021-44228) — plus 6 misconfigurations. The most likely way dvja actually gets breached is through those ancient libraries, and Trivy mapped that risk out in full. On dependency depth Trivy beats Gadriel here cleanly, and we say so.

    Gadriel flagged the same critical Struts2 RCE dependency (a subset: 3 SCA findings) and led on container hardening (10 findings), but its Java SAST is its weakest — just 1 own-code bug (CODE-W1-L1-1004 critical) out of roughly 18 in the app. It missed the command injection, JSP XSS, and weak crypto. The honest story on dvja is not "Gadriel out-scanned Trivy" — it is "Gadriel covered dependencies + container + code + compliance in one tool, while Trivy went deeper on the dependency half."

    NodeGoat (JavaScript / Express / Mongo)

    Trivy owned the npm surface: 76 known dependency vulnerabilities, plus a committed TLS private key and a container misconfiguration, in about a second. NodeGoat has a large vulnerable-dependency surface and Trivy is the leader on it. Full credit.

    Gadriel caught the marquee own-code bug Trivy cannot: the eval() code injection in contributions.js (CODE-W1-L1-001/008 critical) that lets an attacker take over the server, plus code-injection and other SAST (4 total), the same committed key, SCA (3), and container/config (5+1). Candidly, Gadriel's JavaScript SAST breadth is still maturing — it misses NoSQL $where, SSRF, and ReDoS that deeper SAST engines flag — but against Trivy specifically the gap is stark, because Trivy reads no source at all.


    KEY TAKEAWAY

    Trivy finds vulnerable ingredients brilliantly. Gadriel finds vulnerable ingredients and the vulnerable own code that uses them — in one local pass, with taint analysis Trivy structurally does not do.

    Where Gadriel clearly wins

    1. SAST and SCA/container/secrets/config in one pass. This is the structural differentiator. Trivy is dependency/artifact-only; Gadriel reads your own source for injection, RCE, XSS, eval, weak crypto and does the ingredient scanning Trivy does — in a single local command. On pygoat, vulpy, govwa, django.nV and NodeGoat, the most dangerous bug was own-code, which Trivy cannot see by design.
    2. It learns per-codebase. Decisions are remembered per-codebase, so scans get more accurate over time — and an optional AI verification pass (off by default) can re-check gating findings when you want it. A static ruleset cannot self-correct.
    3. AI/LLM detection. OWASP LLM Top 10 risks — a category Trivy does not cover at all.
    4. Audit-ready by default. SPDX + CycloneDX SBOMs and 10 compliance frameworks (EU AI Act, NIST AI RMF, SOC 2, HIPAA, PCI-DSS, OWASP LLM Top 10, CMMC, ISO 42001, Cyber-Insurance readiness) with formal reports — every scan, no extra tools.
    5. Precision. On vulpy it fired on every injectable query and left the parameterized rewrites alone — reachability-aware, not a raw CVE dump.

    Where Trivy clearly wins / Gadriel trails (honest)

    • Dependency-CVE breadth and freshness. On dvja (33 CVEs incl. Struts2 RCE + Log4Shell) and NodeGoat (76 npm CVEs), Trivy is the leader and often deeper than Gadriel. For pure "which libraries are vulnerable?" work, Trivy is excellent — fast, exhaustive, and free.
    • Container/OS-package and IaC/misconfig depth. Trivy's artifact and infrastructure scanning is mature and broad; it is the right specialist for that job.
    • Speed on narrow jobs. When it only reads a dependency list (django.nV ~1s, NodeGoat ~1s), Trivy is much faster than a Gadriel run that also reads all source, config, and secrets.
    • Gadriel's Java SAST recall is weak. On dvja it found 1 of ~18 own-code bugs. Java source depth trails Gadriel's Python and Go, and its JavaScript SAST breadth is still maturing too. The same deterministic pass also structurally misses the access-control family — IDOR, missing/broken authorization, CSRF, and forgeable-token auth — the way any rule-based taint engine does. We would rather state that plainly than imply Gadriel cleaned up the code side on Java — it did not.
    • The optional Tier-2 pass already recovers part of this. Its bring-your-own-LLM semantic hunt surfaces the IDOR / missing-authz / broken-auth family as advisory, review-flagged, non-gating findings — +25 own-code issues Tier-1 alone missed this round, including the dvja command-injection + IDOR + account-takeover chain. But those adds are advisory, not build gates, and they do not close the deterministic Java/JS SAST-breadth gap, which is still real and being improved.

    The benchmark → fix flywheel

    This is a practice, not a slide. When a repo surfaces a genuine Gadriel miss, we record and ship the fix. This series shipped two: Gadriel's Go formatted-SQL-injection detector and the Python analog. Both were narrow, source-optional matcher heuristics that stay precise on parameterized queries; both were unit-tested and re-validated live — the govwa CODE-W1-L2-002 and vulpy/django.nV CODE-W1-L3-014 hits in this round are those fixes firing on the real targets.


    Honest evaluation: where Gadriel is strong, where it's weak, and what Tier-2 changes

    Stated plainly:

    • Tier-1 (default) is strong at injection. SQLi, OS-command, code/eval — especially in Python and Go, where it is a peer to any rule-based scanner in this set. That is the core of every own-code win above.
    • Tier-1 is honestly weak in two places. First, Java/JS SAST breadth — dvja bottoms out at 1 own-code bug and NodeGoat at 4. Second, the entire access-control family — IDOR, missing/broken authorization, forgeable-token auth — which is structurally invisible to AST taint rules, because the vulnerability is a missing check rather than a tainted data-flow to a sink. No amount of taint tuning reaches it.
    • The optional Tier-2 (your own LLM) closes exactly those two gaps. It recovered +25 measured IDOR / authz / broken-auth findings this round — including the dvja command-injection + IDOR + account-takeover chain where Tier-1 alone found only 1. Those are surfaced as advisory findings for review, not build gates.
    • Net, on own-code security coverage, Gadriel + Tier-2 is the most complete tool in this comparison. This claim is own-code only. Trivy reads no source at all, so Gadriel + Tier-2 owns the entire own-code axis — injection via Tier-1, IDOR/authz via Tier-2 — but Trivy still LEADS dependencies, containers, and IaC, and Gadriel does not displace it there. Trivy ships no own-code AI add-on at all, so the comparison there is simply presence versus absence; and where cloud AI add-ons do exist, the Tier-2 differentiator is delivery — bring-your-own / local model, no vendor cloud call, no egress, no extra bill — not a claim of better raw detection than a hosted model.

    Trivy tells you which dependency is poisoned. Gadriel tells you that and whether the poisoned function is actually reachable from a user request.

    The bottom line

    Trivy is a superb, fast, free dependency/container/IaC scanner — a great choice for that job, and the best-in-class tool in this benchmark for it. On dvja and NodeGoat, where the danger is in the ingredients, it is the leader and Gadriel does not beat it. If your only question is "which of my libraries, images, or IaC files are known-vulnerable?", reach for Trivy.

    Gadriel is the broader single tool. It covers Trivy's ingredient-scanning axis reasonably well and adds the thing Trivy structurally cannot do — reading your own source code for injection, RCE, eval, and weak crypto — checks AI/LLM risks, and emits SBOMs and compliance reports, all locally and offline. On five of the six repos the most dangerous bug was own-code, and only Gadriel saw it.

    Security and dependency risk are two of the eight pillars Gadriel validates in every scan — compliance, safety, operational, FinOps, coherence, teamwork, and bias run in the same local pass. The two are complementary, not interchangeable: Trivy is the deeper dependency/container specialist; Gadriel is the broader whole-application tool that also does dependencies, plus SAST, verification, AI, and compliance in one pass.


    Test details: six goat repos — adeyosemanputra/pygoat, nVisium/django.nV, fportantier/vulpy, 0c34/govwa, appsecco/dvja, OWASP/NodeGoat — across Python, Go, Java, and JavaScript. Gadriel 1.2.1 (fresh July 2026 offline re-run); Trivy 0.72.0. All scans were first-time runs on repositories Gadriel was never trained or tuned on, measured on the same machine. Trivy's dependency, container, and secret figures are from the same battery; where Trivy found nothing (vulpy) it is because the app pins no versions and ships no container, not a tool failure. All findings were verified against the source. July 2026.