Trivy → Snyk Container

Trivy ↔ Snyk Container: integration to migration path.

Snyk Container stays the authoritative build gate while Trivy scans every digest alongside it — a second, independently-sourced opinion that never breaks a build. Only once Trivy's verdict drift is proven small does it take over the gate, then admission, then reporting — each layer reversible, with no forced re-credentialing of your pipelines.

The unit of work throughout is the OCI image digest, so every Trivy and Snyk verdict is diffable on the same key. Builds never get stricter on net until Trivy is explicitly promoted.

Map my migration with an engineer →

The idea

Run two opinions on one digest. Promote the OSS one last.

The topology that makes this zero-downtime: both scanners run against the same OCI image digest, so Snyk's SNYK-* findings and Trivy's CVE-* findings are always diffable on one join key. Trivy starts in advisory mode — --exit-code 0 — emitting SARIF onto the same PR check surface Snyk uses, while a delta bot makes every disagreement visible instead of suppressing it. Snyk keeps owning the build verdict until you have weeks of data proving the drift is small, then Trivy is promoted one pipeline and one cluster at a time. You never bet a release train on a single cutover.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We read-only map every image digest flowing through CI, every Snyk Container project, each .snyk suppression and its rationale, the K8s Monitor's covered namespaces, and 90 days of CVEs Snyk blocked by severity. Snyk stays the sole verdict source.

Users see: None.

Rollback: N/A — read-only.

Trivy in CI, advisory mode

Every pipeline runs trivy image alongside snyk container test, but Trivy is --exit-code 0. Both SARIFs land on the PR check surface and a delta bot comments Snyk-only, Trivy-only and agreed findings. Snyk remains the only blocker.

Users see: PR comments show two scanners; build pass/fail unchanged.

Rollback: Remove the Trivy step and delta bot. Under 15 minutes.

Trivy-operator in clusters, audit mode

trivy-operator stands up in every cluster emitting VulnerabilityReport CRs for each running workload, with a Kyverno policy in audit mode that emits events but blocks nothing. Snyk K8s Monitor stays the runtime view of record.

Users see: None for app teams; SRE sees new CRs.

Rollback: helm uninstall trivy-operator. Under 15 minutes.

Trivy as co-blocker, per pipeline

Per pipeline in low-to-high blast-radius waves, Trivy is promoted to --exit-code 1. Now either scanner failing on an unsuppressed HIGH/CRITICAL fails the build. The .snyk and .trivyignore files stay separate — we never auto-mirror them.

Users see: Some previously-passing builds now fail Trivy — the point, communicated a week ahead.

Rollback: Flip the pipeline back to --exit-code 0. Under 15 minutes.

Kyverno admission enforce

Per cluster in waves, the Kyverno policy reading VulnerabilityReport CRs flips to enforce. Pods whose images carry a CRITICAL CVE are denied at admission. Snyk K8s Monitor still reports throughout.

Users see: Pods with CRITICAL CVEs denied; teams see Kyverno denial messages.

Rollback: Switch the policy back to audit. Under 15 minutes.

Replace Snyk's reporting surface

snyk container test comes out of CI; SBOMs flow to an evidence repo with cosign + Rekor attestations, and a DefectDojo, GHAS or Trivy-dashboard surface takes over reporting. Snyk projects are archived read-only as audit history, never deleted.

Users see: Engineers see one scanner output instead of two.

Rollback: Re-enable snyk container test in advisory mode. Under 30 minutes.

Retire Snyk Container

We confirm trivy-operator covers the full workload set Snyk Monitor saw, export Snyk's issue history to long-term storage, uninstall snyk-monitor, and downscope the SKU at renewal. Snyk Container is typically severable from Snyk Open Source and Code.

Users see: None for app teams; one less workload per cluster.

Rollback: Reinstate within the contract notice window; after termination, out of scope.

Feature parity

Where Trivy matches Snyk Container — and where it doesn't.

Capability	Trivy	Snyk Container	Parity
Image vuln scan	trivy image (OS + lang packages)	snyk container test	At parity
SBOM generation	CycloneDX 1.5 + SPDX 2.3 native	CycloneDX export + internal depGraph	At parity
Vuln intel breadth	NVD + OVAL + OSV + GHSA + distro feeds	curated SNYK-* superset, pre-CVE	Partial
Vendor severity overrides	CVSS-only	Snyk severity overrides + curation	SaaS only
Reachability analysis	none (block all HIGH/CRITICAL)	container-layer call-graph reachability	SaaS only
Base-image upgrade advice	Renovate + Trivy SARIF (OSS substitute)	auto-PR base-image upgrade recommendations	SaaS only
Misconfig / IaC scan	trivy config (TF/CFN/Dockerfile/K8s/Helm)	Snyk IaC (separate SKU)	Partial
K8s-native output	trivy-operator VulnerabilityReport CRs	Snyk K8s Monitor reports to SaaS	Partial
Admission control	CRs consumed by Kyverno/Gatekeeper	Snyk Monitor reports (no native gate)	OSS only
Runtime image inventory	trivy-operator CRs (cluster)	Snyk K8s Monitor "observed running"	Partial
Cosign / Rekor attestation	cosign attest predicate from SBOM	no transparency-log attestation	OSS only
Air-gapped operation	--download-db-only offline scan	online API per scan	OSS only
Suppression model	git-tracked .trivyignore	.snyk YAML / dashboard policy	At parity
Cost model	Apache-2.0 compute + ops	per-developer + per-image-test	At parity
Compliance boundary (SOC 2 / FedRAMP)	self-operated, your audit scope	vendor SOC 2 Type II / ISO 27001	SaaS only

What we're honest about

The caveats most vendors leave out.

Snyk's curated CVE intel has a lead

Snyk Security Research publishes intel days-to-weeks ahead of NVD on some ecosystems — notably npm and PyPI. Trivy reproduces public feeds faithfully but can lag that pre-CVE curation. We keep Snyk in CI through Phase 4 and track the weekly delta rather than pretend the gap is zero.

Reachability analysis is SaaS-only

Snyk's container-layer call-graph filter tags CVEs reachable, unreachable or unknown — strongest on Java, Node and Python. No OSS reproduces this at container depth. The honest substitute is blocking on all HIGH/CRITICAL regardless of reachability: more friction, full coverage. We flag it to stakeholders a quarter ahead.

Base-image upgrade auto-PRs disappear

Snyk's one-click "bump to node:20.11.1-alpine to clear N CVEs" PR is a real practical win. The OSS path is Renovate with Trivy SARIF as a custom datasource — functionally close on the common path, less polished on UX. It is a Phase 5 deliverable, not a free swap.

Bundle pricing may make retirement pointless

If Snyk Container is bundled with Open Source, Code and IaC at a price where removing Container saves nothing, full retirement is the wrong goal. We confirm SKU separability before Phase 6 and, if it isn't severable, stop at advisory mode rather than chase a cost win that isn't there.

Why this beats a flag day

Reversible per phase, soaked before anything is cancelled.

Every phase rolls back in under 15 minutes — pull the Trivy CI step, flip a pipeline back to --exit-code 0, or switch Kyverno from enforce to audit — because Snyk stays live alongside Trivy the whole way. Snyk Container is only retired after the new admission and reporting plane has soaked at least 30 days with no audit-evidence gaps, and only once SKU separability is confirmed. A flag-day swap gives you none of that: one bad verdict and your whole build queue stops.

See whether your stack migrates cleanly off Snyk Container.

A 30-minute call with a senior engineer. We map your image digests, Snyk projects and suppression policy, measure the likely Trivy↔Snyk verdict drift, and tell you honestly whether bundle pricing makes full retirement worth it — before you commit.

Map my migration →