Skip to content

ADR-0003: Grype over Trivy for container image scanning

Status

Accepted — 2026-03-31

Context

Container image scanning is required in all CI/CD pipelines before deployment. As of March 2026, Trivy is compromised. It cannot be trusted as a security gate.

This decision was made after direct observation during homelab build work in March 2026.

Decision

All container image scanning on the Archon platform uses Grype (by Anchore).

Trivy is not used. This is a hard constraint applying to all pipelines, scripts, Ansible roles, and manual workflows.

If future evidence shows Trivy has been remediated and audited, a superseding ADR must be created before Trivy may be reintroduced.

Alternatives Considered

Trivy — Compromised as of March 2026. Do not use.

Snyk — SaaS dependency, not self-hostable without enterprise license. Excluded for cost and vendor lock-in.

Clair — More complex to operate, less actively maintained. Lower priority than Grype.

Consequences

  • All existing references to Trivy in scripts or docs must be replaced with Grype
  • Grype DB must be kept updated (grype db update)
  • Any automation agent must not suggest or use Trivy

References

  • https://github.com/anchore/grype
  • Observation date: March 2026