π One command to run all three vulnerability scanners using Docker - no local installation required!
Scanners-TrivyClairGrype is a comprehensive, zero-installation vulnerability scanning solution that integrates three powerful security scanners (Trivy, Clair, and Grype) into a single command.
Simply run .\run_all.bat on Windows or ./run_all.sh on Mac/Linux to automatically scan your codebase, Docker images, or directories for vulnerabilities, secrets, and misconfigurations using Docker containers - no local installation required.
The tool generates a combined HTML report with findings from all three scanners, making it perfect for developers, DevOps teams, and security professionals who want enterprise-grade vulnerability scanning without the complexity of setting up multiple tools individually.
.\run_all.bat./run_all.shpython scan_docker.py .That's it! The script will automatically:
- β Pull Docker images for all scanners
- β Scan your codebase with Trivy, Grype, and Clair
- β Generate a combined HTML report
- β Open results in your browser
- β Use descriptive container names for easy tracking
All containers now have descriptive, consistent names:
trivy-scanner-TIMESTAMP- Trivy vulnerability scannergrype-scanner-TIMESTAMP- Grype vulnerability scanner
clair-postgres-db- PostgreSQL database for Clairclair-vulnerability-scanner- Main Clair scanner serviceclair-control-tool- Clair control utility
Easy management:
# See what's running
docker ps
# View logs
docker logs clair-vulnerability-scanner
# Stop specific containers
docker stop trivy-scanner-20250625_070015- π Source code (vulnerabilities in dependencies)
- π Secrets (API keys, passwords hardcoded in code) - Trivy only
- π¦ Package managers (npm, pip, maven, gradle, composer, etc.)
- π Configuration files (Dockerfile, Kubernetes YAML, Terraform) - Trivy only
- π³ Container images (OS and application vulnerabilities)
- π Software Bill of Materials (SBOM) - Trivy only
| Feature | Trivy | Grype | Clair |
|---|---|---|---|
| Dependencies | β | β | β |
| Secrets | β | β | β |
| Configs | β | β | β |
| Git Repos | β | β | β |
| Containers | β | β | β |
| Speed | Fast | Very Fast | Consistent |
| Setup | Easy | Easy | Optional |
π‘ Recommendation: Trivy + Grype provide excellent coverage for most security needs. Clair is optional for specialized container analysis.
- Docker (only requirement!)
- Python 3.6+ (usually pre-installed)
- Windows/Mac: Docker Desktop
- Linux:
curl -fsSL https://get.docker.com | sh
# Scan current directory (your project)
.\run_all.bat
# Scan specific directory
.\run_all.bat C:\path\to\project
./run_all.sh /path/to/project
# Scan Docker image
.\run_all.bat nginx:latest
./run_all.sh python:3.9
# Scan Git repository (real examples)
.\run_all.bat https://github.com/your-username/your-repo- JSON files for each scanner in
results/directory - Combined HTML report with all findings
- Severity-based filtering (Critical, High, Medium, Low)
- Package and vulnerability details
- Fix recommendations when available
results/
βββ trivy_results_TIMESTAMP.json
βββ grype_results_TIMESTAMP.json
βββ clair_results_TIMESTAMP.json (when available)
βββ combined_report_TIMESTAMP.html β Opens automatically
Want to see how the reports look with vulnerabilities? Run the test script:
python test_with_mock_data.pyThis generates realistic vulnerability data for all three scanners so you can see the beautiful table formatting and severity color coding in action!
If you want the simplest solution, just install Trivy alone - it can do 90% of what you need:
# Using Chocolatey
choco install trivy
# Or download directly
$version = "0.52.2"
Invoke-WebRequest -Uri "https://github.com/aquasecurity/trivy/releases/download/v$version/trivy_$($version)_Windows-64bit.zip" -OutFile "trivy.zip"
Expand-Archive trivy.zip -DestinationPath "C:\trivy"
# Add C:\trivy to PATHbrew install trivycurl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin# Scan your codebase for vulnerabilities and secrets
trivy fs .
# Scan container image
trivy image nginx:latest
# Scan git repository
trivy repo https://github.com/user/repo
# Scan for secrets only
trivy fs --scanners secret .
# Scan configuration files
trivy config .
# Docker version (no installation)
docker run --rm -v $(pwd):/workspace aquasec/trivy fs /workspaceTrivy:
# Scan filesystem/codebase
docker run --rm --name trivy-scan -v $(pwd):/workspace aquasec/trivy fs /workspace
# Scan for secrets in code
docker run --rm --name trivy-secrets -v $(pwd):/workspace aquasec/trivy fs --scanners secret /workspace
# Scan container image
docker run --rm --name trivy-image aquasec/trivy image nginx:latest
# Scan git repository
docker run --rm --name trivy-repo aquasec/trivy repo https://github.com/user/repoGrype:
# Scan directory
docker run --rm --name grype-scan -v $(pwd):/workspace anchore/grype dir:/workspace
# Scan container image
docker run --rm --name grype-image anchore/grype nginx:latestClair:
# Start Clair services
docker-compose up -d
# Check status
curl http://localhost:6060/health
# Stop services
docker-compose downIf you prefer to install scanners locally instead of using Docker:
# Automated installer
.\install_scanners.ps1
# Or manual
choco install trivy
# Download Grype from GitHub releases# Homebrew
brew install trivy
brew tap anchore/grype && brew install grype# Install scripts
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | shThen use the local scanner script:
python scan_all.py .- Known CVEs in dependencies
- Outdated packages with security issues
- OS-level vulnerabilities
- Language-specific package vulnerabilities
- API keys and tokens
- Database credentials
- Private keys
- Hardcoded passwords
- AWS access keys
- JWT tokens
- Dockerfile best practices
- Kubernetes security issues
- Infrastructure as Code problems
- Insecure configurations
- Best for: Complete security scanning
- Scans: Code, containers, configs, secrets
- Strengths: Most features, active development
- Output: Detailed CVE information
- Best for: Quick vulnerability checks
- Scans: Containers, filesystems
- Strengths: Speed, simple output
- Output: Clean vulnerability list
- Best for: Container layer analysis
- Scans: Container images (layer by layer)
- Strengths: Deep image inspection
- Output: Layer-specific vulnerabilities
# Check Docker is running
docker --version
docker ps
# Pull images manually if needed
docker pull aquasec/trivy:latest
docker pull anchore/grype:latest# Make script executable
chmod +x run_all.sh
# Run with sudo if needed
sudo ./run_all.sh# If scripts are blocked
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser# See all containers with descriptive names
docker ps -a
# Remove stopped scanner containers
docker container prune
# Stop and remove Clair services
docker-compose down -v- β Zero local installation (Docker-only approach)
- β Single command execution
- β Cross-platform (Windows, Mac, Linux)
- β Automatic report generation
- β Browser integration
- β Multiple scan targets (code, containers, repos)
- β Combined results from all scanners
- β Professional HTML reports
- β Descriptive container names for easy management
- β Timestamp-based tracking
Feel free to submit issues and enhancement requests!
π Ready to scan? Just run .\run_all.bat (Windows) or ./run_all.sh (Mac/Linux)!