Trivy → Wiz Image Scanning
Trivy ↔ Wiz Image Scanning: integration to migration path.
Trivy stands up alongside Wiz, scanning every digest in CI and signing an SBOM into Rekor while Wiz's registry connector keeps doing exactly what it does today. Only once severity drift is reconciled does Trivy take over the PR gate and admission — and Wiz stays on the whole way as the Security Graph, CSPM, KSPM and CIEM layer.
This is an honest partial retirement: image-scan findings move to Trivy; Wiz the CNAPP is never turned off. A full Wiz replacement is a different, much larger project and out of scope here.
The idea
Own the image findings. Keep the graph.
The topology that makes this zero-downtime: both tools scan the same image digest, so every Trivy and Wiz verdict
meets on the (image_digest, cve_id) key, and findings flow into one triage queue — DefectDojo or JIRA
Security — that de-dupes there, not at either scanner. Trivy's killer advantage is that in CI it scans the artifact
before it has a registry identity Wiz can see, catching failures pre-merge. As Trivy becomes the
authoritative image-finding source feeding admission control, the Wiz Security Graph stays the canonical context
layer — answering not whether the image is vulnerable, but what this CVE means against the rest of the cloud.
The phases
Seven steps. Each one reversible.
Baseline & inventory
Wiz is the only image scanner and CI doesn't block on image vulns. We read-only map every cluster, registry, pipeline and Wiz connector, capture the Image Scanning line-item cost, and baseline Issue volume, MTTR per severity and the noisiest CVEs. The end state — steady-state dual-scan or third-party ingestion — is chosen and signed off here.
Trivy in CI, advisory only
Trivy runs on every build, generating a CycloneDX SBOM that's cosign-signed and pushed to Rekor. Verdicts surface as PR comments and Slack but never fail a build. Wiz keeps scanning every digest as before.
Reconcile severity drift
We build a (digest, cve_id, trivy_sev, wiz_sev, source) table and tune Trivy — ignore policies, per-repo .trivyignore, a HIGH/CRITICAL gate threshold and VEX files — until the two tools agree on severity for at least 90% of pairs, with the residual delta documented.
Trivy becomes the PR gate
CI flips from --exit-code 0 to --exit-code 1 on CRITICAL, ramped canary then low-blast then all repos. Trivy is now authoritative for the build/merge decision; Wiz still scans every digest and feeds the graph. A logged, security-gated break-glass label allows overrides.
Trivy-operator + admission control
trivy-operator deploys to every production cluster, emitting CRs continuously. A Kyverno policy denies pods whose image has a CRITICAL CVE — run in audit for at least 14 days before enforce. Wiz KSPM continues unchanged.
Choose the end state
Default (1.2): Trivy authoritative at CI and admission, Wiz authoritative for the Security Graph, CSPM, KSPM, CIEM and attack-path; both scans run and the Issue queue de-dupes on (digest, cve_id). Conditional (1.3): Wiz image-scan goes dormant and Trivy findings push into Wiz via the third-party-findings API — only if the contract makes image-scan separately priced.
Steady-state
The chosen end state is sustained: Trivy DB cadence and Wiz connector health monitored, Kyverno policy reviewed quarterly, the cosign/Rekor evidence chain spot-checked by audit, and the reconciliation table reviewed monthly. Wiz is never turned off as a CNAPP.
Feature parity
Where Trivy matches Wiz Image Scanning — and where it can't.
| Capability | Trivy | Wiz Image Scanning | Parity |
|---|---|---|---|
| Image vuln scan | trivy image (OS + lang packages) | Wiz registry-connector image scan | At parity |
| Pre-merge CI scan | trivy image --exit-code 1 in PR build | wizcli docker scan; default registry-side post-push | OSS only |
| SBOM generation | CycloneDX 1.5 + SPDX 2.3 native | Wiz internal BOM + CycloneDX export | At parity |
| Cosign / Rekor attestation | cosign attest predicate, Rekor-anchored | consumes attestations; no native Rekor chain | OSS only |
| Vuln intel breadth | NVD + GHSA + OSV + distro + Wolfi feeds | similar feeds + vendor-curated layer | Partial |
| IaC scanning | trivy config (TF/CFN/Helm/K8s/Dockerfile) | Wiz IaC (broader, cloud-correlated) | Partial |
| K8s posture (KSPM) | trivy k8s / trivy-operator CRs | Wiz KSPM (cluster + cloud scored) | Partial |
| Cloud posture (CSPM) | none | Wiz CSPM | SaaS only |
| CIEM (IAM exposure) | none | Wiz CIEM | SaaS only |
| Attack-path / Security Graph | none (Trivy yields a node, not the graph) | Wiz Security Graph + attack-path analysis | SaaS only |
| Admission control | CRs consumed by Kyverno/Gatekeeper | Issue→workload annotation feed | OSS only |
| Exposure context (IAM+net+data) | none | Wiz Issue stitch across resources | SaaS only |
| Air-gapped operation | --offline-scan after trivy download | SaaS-native, requires connectivity | OSS only |
| Cost model | free + compute/ops | per-resource / per-cloud-account | At parity |
| Compliance boundary (SOC 2 / FedRAMP) | self-operated, your audit scope | vendor SOC 2 / FedRAMP boundary | SaaS only |
What we're honest about
The caveats most vendors leave out.
Trivy replaces the image scanner, not Wiz
Wiz is a CNAPP; image scanning is one feature inside it. Trivy can own image-scan findings, but it does not replace the Security Graph, attack-path analysis, or the cloud-account-wide CSPM/KSPM/CIEM bundle. An honest migration ends in a partial retirement — sold internally as "Trivy replaces Wiz", this project is mis-scoped and will fail.
The Security Graph has no OSS parity
A Wiz Issue stitches image CVE → workload → service → network exposure → IAM identity → reachable data into one queryable graph. Trivy yields the CVE node; the rest is Wiz's product. OPA, Steampipe, Trivy and Cilium each give you a node — none of them makes the graph. That stays a paid Wiz capability after the swap.
Vendor-curated exploitability intel is lost in 1.3/1.4
If you narrow Wiz's image-scan role, its curated risk scoring beyond CVSS no longer applies to image findings. Layering EPSS and CISA KEV via Trivy covers roughly 70% of that signal; the rest is vendor closed data. We treat this as a partial mitigation, not a like-for-like replacement.
Third-party ingestion can blind the graph silently
In the 1.3 end state, Trivy findings reach Wiz through its third-party-findings API. If that ingestion is rate-limited or unreliable, the Wiz graph quietly de-classifies risk. We never adopt 1.3 without a daily reconciliation monitor on Trivy CR count versus Wiz third-party Finding count, alerting on more than 5% drift.
Why this beats a flag day
Reversible per phase, soaked before anything narrows.
Every phase rolls back in under 15 minutes — pull the Trivy CI step, flip a repo back to advisory, or switch Kyverno from enforce to audit — because Wiz keeps scanning every digest the whole way as cross-verification. The chosen end state only stands once it has run at least 30 days with severity parity at or above 90% (or, in the 1.3 path, third-party ingestion success at or above 99.5%). Critically, no phase ever turns Wiz off as a CNAPP, so there is no cliff to fall off — unlike a flag-day swap that strands your graph the moment one scan disagrees.
See how much of Wiz you can actually move to Trivy.
A 30-minute call with a senior engineer. We map your registries, clusters and Wiz connectors, baseline your Issue volume, and tell you honestly whether image-scan is separately priced — and where Wiz's graph stays load-bearing — before you commit.
Map my migration →