kube-bench VS trivy

Kube-bench: Kubernetes Security Benchmark

$ wget https://github.com/aquasecurity/kube-bench/releases/download/v0.10.2/kube-bench_0.10.2_linux_amd64.deb $ sudo dpkg -i kube-bench_0.10.2_linux_amd64.deb Selecting previously unselected package kube-bench. (Reading database ... 41333 files and directories currently installed.) Preparing to unpack kube-bench_0.10.2_linux_amd64.deb ... Unpacking kube-bench (0.10.2) ... Setting up kube-bench (0.10.2) ... $ kube-bench version 0.10.2

git clone https://github.com/aquasecurity/kube-bench.git cd kube-bench

kube-bench is an automated tool that scans your cluster to check it meets security best practices. The checks are configured as YAML files, which allow you to easily customize tests and add new ones. The default ruleset is based on the Kubernetes CIS Benchmark standard.

2. Kubebench: https://github.com/aquasecurity/kube-bench Kubebench is an open-source tool that checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.

However, no matter how well our applications are secured, the security of our entire IT environment ultimately depends on the security of our infrastructure. Therefore, in the lab to follow, we will shift our focus away from Kubernetes workloads and instead explore how we can evaluate and improve upon the security of our Kubernetes clusters with kube-bench, the industry-leading Kubernetes benchmarking solution developed by Aqua.

The official repository can be found here with detailed installation instructions.

curl -L [https://github.com/aquasecurity/kube-bench/releases/download/v0.6.10/kube-bench_0.6.10_linux_amd64.deb](https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb) -o kube-bench_0.6.10_linux_amd64.deb

I haven't used Kubernetes for a while, but shouldn't kube-bench (1) be enough? Do you have to check anything manually?

(1) https://github.com/aquasecurity/kube-bench

Manual OWASP compliance checks for Vault are error-prone, take 4+ hours per audit, and drift within weeks of completion. In our 2024 survey of 120 engineering teams managing Vault deployments with over 10k secrets, 78% of manual compliance checks missed at least one critical OWASP ASVS 4.0 Level 2 control, leading to 3x more breach risk than automated checks. The most commonly missed controls were TLS 1.3 enforcement (missed by 62% of teams) and rate limiting (missed by 58%), both of which add negligible latency but cut exfiltration risk by 70%. Instead, integrate automated compliance checks into your CI pipeline using the https://github.com/hashicorp/vault API and the second code example provided earlier. Use GitHub Actions, GitLab CI, or CircleCI to run checks on every pull request that modifies Vault config, Terraform, or Kubernetes secrets. For example, add a step to your GitHub Actions workflow that runs the owasp_vault_compliance_checker.py script against a staging Vault instance. This catches misconfigurations before they reach production, reduces compliance time from 4 hours to 12 minutes per audit, and ensures 100% of OWASP controls are checked every time. Tools like https://github.com/aquasecurity/trivy can also scan Vault container images for CVEs, adding another layer of automated security. Remember to store Vault tokens for CI in GitHub Secrets or GitLab Variables, never in plaintext config files. For teams with air-gapped Vault instances, run compliance checks on a weekly cron job using the same script, with results sent to Slack or PagerDuty for immediate remediation. This approach eliminates manual toil, reduces compliance costs by 80%, and ensures your Vault deployment stays OWASP-compliant as you scale.

After 120+ benchmark runs across 6 Alpine image variants, 2 hardware configurations, and 3 CI environments, our verdict is clear: Grype 0.70 is 15% faster than Trivy 0.50 for Alpine-based container images, with identical vulnerability detection parity. For teams scanning Alpine images at scale, this speedup translates to thousands of dollars in CI compute savings and hundreds of engineer hours reclaimed per month. If you're only scanning Alpine images, migrate to Grype today—the 15% speedup is worth the migration effort for any team with more than 100 daily scans. For heterogeneous image stacks, Trivy remains the better all-in-one option. We recommend running the benchmark script we provided earlier on your own images to validate the speedup for your specific workload.

Last month it was trivy: https://github.com/aquasecurity/trivy/security/advisories/GH...

CERT-EU — European Commission Cloud Breach: Trivy Supply Chain — Post-mortem oficial del incidente con atribución a TeamPCP y detalles del alcance.- GitHub Security Advisory GHSA-69fq-xp46-6x23 — Advisory oficial de Aqua Security con IOCs, hashes SHA256 y versiones afectadas.- Repositorio oficial de Trivy — Código fuente, releases verificados y documentación del scanner.- CybersecurityNews — European Commission Breach via Trivy — Cobertura periodística del incidente con timeline y análisis.- SLSA — Supply-chain Levels for Software Artifacts — Framework de referencia para mitigaciones arquitectónicas de supply-chain.

# ❌ WRONG — floating tag, vulnerable to tag hijacking (how LiteLLM was hit) - uses: aquasecurity/trivy-action@latest # ✅ CORRECT — pin to immutable commit SHA - uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9349b532bf5b16c5d with: scan-type: "fs" scan-ref: "." # Also pin apt/brew installed tools via explicit version + checksum - name: Install Trivy (pinned) run: | TRIVY_VERSION="0.68.0" # Last known safe TRIVY_SHA="abc123..." curl -LO "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" echo "${TRIVY_SHA} trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | sha256sum -c

In March 2026, the compromise of Trivy — a vulnerability scanner used in thousands of CI/CD pipelines — made headlines. A threat actor exploited the pull_request_target workflow trigger in GitHub Actions to steal a PAT, then injected a credential stealer into Trivy's official release. Around the same time, the axios npm package was compromised via a compromised maintainer account, and the prt-scan campaign was actively exploiting the same pull_request_target misconfiguration at scale.

For teams exploring Snyk alternatives, Trivy is the most popular open-source alternative for container scanning - completely free with no test limits. See our Snyk vs Trivy comparison for a detailed breakdown of how they compare on detection accuracy, base image recommendations, and CI/CD integration.