No more typing reviews! Try our Samantha, our new voice AI agent.

Snyk vs Trivy comparison

Sponsored
 

Comparison Buyer's Guide

Executive SummaryUpdated on Jan 11, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Qualys TotalCloud
Sponsored
Ranking in Container Security
11th
Average Rating
8.6
Reviews Sentiment
7.2
Number of Reviews
39
Ranking in other categories
Vulnerability Management (11th), Cloud Workload Protection Platforms (CWPP) (7th), Cloud Security Posture Management (CSPM) (8th), SaaS Security Posture Management (SSPM) (1st), Cloud-Native Application Protection Platforms (CNAPP) (6th)
Snyk
Ranking in Container Security
7th
Average Rating
8.2
Reviews Sentiment
7.3
Number of Reviews
51
Ranking in other categories
Application Performance Monitoring (APM) and Observability (21st), Application Security Tools (7th), Static Application Security Testing (SAST) (5th), GRC (6th), Cloud Management (14th), Vulnerability Management (21st), Software Composition Analysis (SCA) (2nd), Software Development Analytics (2nd), Cloud Security Posture Management (CSPM) (17th), DevSecOps (3rd), Application Security Posture Management (ASPM) (2nd), AI Security (10th)
Trivy
Ranking in Container Security
5th
Average Rating
8.6
Reviews Sentiment
7.5
Number of Reviews
12
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2026, in the Container Security category, the mindshare of Qualys TotalCloud is 1.5%, up from 0.9% compared to the previous year. The mindshare of Snyk is 4.4%, down from 5.7% compared to the previous year. The mindshare of Trivy is 2.7%, down from 5.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Container Security Mindshare Distribution
ProductMindshare (%)
Trivy2.7%
Snyk4.4%
Qualys TotalCloud1.5%
Other91.4%
Container Security
 

Featured Reviews

RO
IT Security Expert at Alior Bank S.A.
Unified risk scoring has improved our cloud visibility and simplifies remediation priorities
Qualys TotalCloud provides unified vulnerability and threat assessment across both IAS and SaaS. This solution provides a single prioritized view of risk, which helps reduce the work I would have to do. We are no longer based on CVSS; we are based on Qualys risk scoring, which is based on CVSS plus internal findings made by Qualys, and then assigns its own score. The TruRisk insight feature has found a small number of assets with high vulnerability scores, though I am cautious since some information is classified. Qualys TotalCloud has positively impacted our bank's performance, and we have definitely seen benefits after implementing this solution.
Abhishek-Goyal - PeerSpot reviewer
Software Engineer at a computer software company with 11-50 employees
Improves security posture by actively reducing critical vulnerabilities and guiding remediation
Snyk's main features include open-source vulnerability scanning, code security, container security, infrastructure as code security, risk-based prioritization, development-first integration, continuous monitoring and alerting, automation, and remediation. The best features I appreciate are the vulnerability checking, vulnerability scanning, and code security capabilities, as Snyk scans all open-source dependencies for known vulnerabilities and helps with license compliance for open-source components. Snyk integrates into IDEs, allowing issues to be caught as they appear in the code dynamically and prioritizes risk while providing remediation advice. Snyk provides actionable remediation advice on where vulnerabilities can exist and where code security is compromised, automatically scanning everything and providing timely alerts. Snyk has positively impacted my organization by improving the security posture across all software repositories, resulting in fewer critical vulnerabilities, more confidence in overall product security, and faster security compliance for project clients. Snyk has helped reduce vulnerabilities significantly. Initially, the repository had 17 to 31 critical and high vulnerabilities, but Snyk has helped manage them down to just five vulnerabilities, which are now lower and not high or critical.
Utsav Sharma - PeerSpot reviewer
Senior Security Consultant at Ernst & Young
Maintain operational efficiency by detecting misconfigurations and vulnerabilities
The vulnerability scanning feature is excellent as it supports various container capabilities like Docker and Sharma. It also offers repository scanning in the source code domain, allowing pre-push code scans. The misconfiguration detection works well for CloudFormation, Docker files, and Terraform. Its compliance support, like NIST, ensures that configurations align with standards. Trivy helps me significantly detect misconfigurations missed by the ops engineers or in Terraform by the naked eye. It ensures that my deployments are free of misconfigurations and vulnerabilities.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"I appreciate Qualys TotalCloud's ability to onboard any type of device with ease, including containers."
"The most valuable feature is the consolidated information that it provides from various platforms."
"The vulnerability management feature is the one I like the most because it provides a clear picture of all vulnerabilities."
"I appreciate TotalCloud's real-time protection and remediation features. The remediation options include automated one-click remedies and custom changes that help manage vulnerabilities efficiently."
"I highly recommend Qualys TotalCloud to other users."
"I would definitely recommend Qualys TotalCloud to other customers."
"One of the most valuable features of Qualys TotalCloud is FlexScan, which is specifically for internet-facing VMs. We found this feature to be very useful. It was a key differentiator for us."
"Qualys TotalCloud provides unified vulnerability and threat assessment for IaaS and SaaS and a single prioritized view of risk, which helps reduce my workload by not having to combine multiple sources."
"It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis."
"I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."
"Snyk provides a lot of information on vulnerabilities, the packages being used, and their dependencies, giving good insight into the security of those packages."
"The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities."
"The most prominent reason why everybody goes with Snyk as a starting point is because they have an open source offering, and as such, it is a developer-friendly solution that our developers really like, deliberately made to be developer-friendly from the start with lots of integrations that fit with other tools."
"A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools."
"The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
"From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."
"Overall, I would rate Trivy a ten out of ten."
"It's customizable, allowing me to add any rules and format HTML templates as I wish."
"Trivy's open source nature and wide functionality are incredibly valuable."
"I can see vulnerabilities in the images of any applications deployed in the Kubernetes environment or as container applications."
"Trivy is particularly useful for checking if Docker images have critical vulnerabilities before they reach production."
"Trivy's ability to scan files, images, GitHub repositories, Infrastructure as Code like Terraform, and Kubernetes is valuable."
"Trivy is very reliable and always has an up-to-date database to scan images and identify vulnerabilities."
"Trivy is most valuable for its ability to scan all repository files and dependencies."
 

Cons

"The vulnerability part is good, but the policy compliance module needs improvement because it involves a lot of manual work. Specifically, the remediation part of the controls requires enhancements."
"The support process is inefficient due to the excessive number of replies required when submitting tickets."
"The downside is only in container security, but it has not been a long time since they introduced these models."
"Qualys's ticketing system can be confusing when assigning tasks to individuals, and support could be improved by offering instant call solutions with engineers in addition to ticket replies."
"Qualys TotalCloud's increasing complexity, due to the development and deployment of multiple solutions, is making the GUI difficult to navigate."
"To improve the user experience, reporting could be simplified for better comprehension by end users and project managers, facilitating issue resolution."
"Their customer support needs improvement."
"Although TotalCloud is a helpful tool, some of its advanced features are still under development."
"There are a lot of false positives that need to be identified and separated."
"We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."
"The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings."
"The log export function could be easier when shipping logs to other platforms such as Splunk."
"Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app."
"We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."
"Technically, we have better vulnerabilities detection in Checkmarx and Veracode. Both of them are more precise about vulnerabilities detection."
"The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production."
"Trivy can improve by providing an output in PDF format."
"Trivy can improve by providing an output in PDF format. Additionally, it takes longer to scan container images built with many layers."
"The only problem is that Trivy does not support reporting features such as generating reports in CSV, which is useful for auditing and reporting."
"Trivy's marketing and awareness need improvement."
"For malware detection, I need to use two tools: Trivy as my anomaly scanner and ClamAV. I am integrating these two tools into the CI pipeline. If both malware and anomaly detection could be managed by one tool, I would not need to depend on two tools. That would be my suggestion."
"The reporting could be a little better."
"Having little experience can hinder the ability to connect it to a user-friendly UI effectively."
"The main area for improvement is in differentiating between OS and application-based vulnerabilities."
 

Pricing and Cost Advice

"Qualys TotalCloud is expensive."
"As a middle management member, I do not have direct pricing knowledge, but based on the knowledge from our meetings, its pricing is competitive."
"The pricing for TotalCloud is attractive and competitive in the market. Given the features, especially the dashboard, I have no concerns regarding pricing."
"Although Qualys TotalCloud is relatively expensive due to its unique automation features, its cost-effectiveness is rated an eight out of ten, with ten being the most costly."
"TotalCloud's price is about right where I would expect it to be."
"Qualys TotalCloud is cost-efficient and was selected for its value compared to other products."
"Qualys TotalCloud offers cost-effective licensing flexibility."
"The cost is high, but it meets our organizational needs."
"It is pretty expensive. It is not a cheap product."
"It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website."
"I would rate the pricing of Snyk at two. I'm currently using the free version, which the company offers before buying the full version. So, the price is affordable, especially for an enterprise."
"I didn't think the price was that great, but it wasn't that bad, either. I'd rate their pricing as average in the market."
"Compared to Veracode, Snyk is definitely a cheaper tool."
"Snyk is an expensive solution."
"The product's price is okay."
"Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app. Snyk is one of the few that I'm willing to pay that add-on charge, but generally I disqualify products that charge an extra fee to do integrated authentication to our identity provider, like Okta or some other SSO. That is a big negative. We had to pay extra for that. That little annoyance aside, it is expensive. You get a lot out of it, but you're paying for that premium."
Information not available
report
Use our free recommendation engine to learn which Container Security solutions are best for your needs.
904,016 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
16%
Financial Services Firm
13%
Construction Company
8%
Comms Service Provider
7%
Financial Services Firm
14%
Manufacturing Company
11%
Computer Software Company
9%
Comms Service Provider
6%
Financial Services Firm
13%
Manufacturing Company
11%
Computer Software Company
9%
Comms Service Provider
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business9
Midsize Enterprise5
Large Enterprise29
By reviewers
Company SizeCount
Small Business20
Midsize Enterprise10
Large Enterprise23
By reviewers
Company SizeCount
Small Business3
Midsize Enterprise1
Large Enterprise9
 

Questions from the Community

What needs improvement with Qualys TotalCloud?
Areas that need improvement in every solution include the remediation part. The remediation steps should be simple en...
What is your primary use case for Qualys TotalCloud?
Our use case involves the assets that we have under cloud, the assets exposed to the internet, and the internal appli...
How does Snyk compare with SonarQube?
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to...
What needs improvement with Snyk?
There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false posi...
What is your primary use case for Snyk?
I use Snyk ( /products/snyk-reviews ) in the DevOps pipeline to identify vulnerabilities before deploying the applica...
What needs improvement with Trivy?
Trivy's marketing and awareness need improvement. Not everyone knows about it, which isn't ideal given its capabiliti...
What is your primary use case for Trivy?
I use Trivy ( /products/trivy-reviews ) to scan code for vulnerabilities before deployment. Our projects, which are d...
What advice do you have for others considering Trivy?
I recommend Trivy to others due to its powerful and useful features. However, I suggest increasing its marketing to r...
 

Comparisons

 

Also Known As

Qualys TotalCloud with FlexScan
Fugue, Snyk AppRisk
No data available
 

Overview

 

Sample Customers

Information Not Available
StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
Information Not Available
Find out what your peers are saying about Snyk vs. Trivy and other solutions. Updated: June 2026.
904,016 professionals have used our research since 2012.