HubSec Research · Benchmark Report

Open-Source Tools vs Aqua Enterprise
A side-by-side vulnerability benchmark.

We scanned three deliberately vulnerable applications with the four most-used open-source security tools and Aqua Enterprise, then compared what each one found, missed, and prioritized. Here is what the data tells us about where commercial scanners add measurable value — and where the open-source stack is already good enough.

Scan Date

2026-05-12

Targets

NodeGoat · juice-shop · WebGoat

OSS Tools

Trivy · Semgrep · Gitleaks · npm-audit

Commercial

Aqua Enterprise

Total Findings

708

across all tools, 3 repos

Critical

CVE + Semgrep error

High

158

CVE + Semgrep warning

Medium

Leaked Secrets

293

Gitleaks signals

The headline finding

When open-source scanners stop, Aqua keeps going.

The most striking result of the benchmark was not "Aqua found more" — it was where Trivy gave up entirely. On juice-shop, a real-world Node.js application without a committed lockfile, Trivy returned zero vulnerabilities. Aqua reported 79 CVEs in the same code.

juice-shop · case study

0 vs 79 CVEs on the same repository.

Trivy OSS

Aqua Enterprise

Critical / High in Aqua

13 / 58

juice-shop has no package-lock.json in its repository. Trivy's dependency scanner requires a lockfile to resolve transitive dependencies, so it produced zero findings. Aqua resolves range-based dependencies straight from package.json and surfaced 79 CVEs — including vm2 RCE, jsonwebtoken bypass, and the well-known lodash prototype-pollution chain. This is the largest single coverage gap we measured.

Four places Aqua adds measurable value

📚 Data-source breadth

Aqua ingests NSWG (Node Security WG), vendor advisories and GHSA, not just NVD. It surfaces non-CVE advisories (NSWG-ECO-118, GHSA-72hv-…) that OSS scanners ignore.

🆕 Recency on new CVEs

The flip side: Trivy is sometimes faster on 2025/2026 CVEs (thymeleaf-spring6 critical chain, underscore CVE-2026-27601) before Aqua's database refresh. They complement each other.

⚖️ Severity scoring

Aqua applies its own triage on top of NVD CVSS — 8 CVEs got reclassified in our test (e.g., y18n, ini, set-value bumped HIGH → CRITICAL).

🎯 Triage metadata

Aqua exposes EPSS · Direct/Transitive · Package Roots · Vendor Fix · Reachability per finding. OSS scanners give you a CVE list; Aqua gives you a triaged action queue.

Overall coverage

Where the 708 findings came from.

Aggregated across all four open-source tools (Trivy, Semgrep, Gitleaks, npm-audit) before de-duplication. Gitleaks alone accounts for 293 secret signals — most of them test fixtures in the deliberately-vulnerable applications, but a useful reminder that fixture-grade secrets do leak into production repos.

Findings by repository

All tools combined

Severity distribution (CVE)

Trivy + npm-audit combined

Findings by tool

How much each scanner contributed

Per-repository × per-tool breakdown

Stacked view of which scanner caught what, where

Repository detail

Raw counts per tool

Repository	Stack	Semgrep (E/W)	Gitleaks	Trivy (C/H/M/L)	npm-audit (C/H/M/L)	Total
NodeGoat	Node.js	3 / 13	5	10 / 39 / 16 / 10	36 / 63 / 33 / 9	237
juice-shop	Node.js / TS	12 / 18	194	0 / 0 / 0 / 0	7 / 31 / 11 / 6	279
WebGoat	Java / Spring	15 / 31	94	5 / 25 / 19 / 3	—	192

All three targets are OWASP training applications (deliberately vulnerable). Most Gitleaks hits are test fixtures — they should still be rotated if the codebase is forked into production.

Aqua Enterprise vs Trivy OSS

Same repos, side by side.

We exported Aqua's findings from the Aqua Console (2026-05-13) and ran Trivy 0.70.0 locally (2026-05-12) on the same three repositories. Below is a strict CVE-level diff: how many findings each tool produced, how many CVEs overlapped, and where each one stood alone.

Total findings — 3 repositories combined

Higher is not always better; coverage gaps are what matter

Repository	Aqua Total	Trivy Total	Δ	Aqua Unique CVE	Trivy Unique CVE	Overlap	Aqua-only	Trivy-only
NodeGoat	116	75	+41	69	64	56	13	8
WebGoat	57	52	+5	57	52	44	13	8
juice-shop	106	0	+106	79	0	0	79	0
Total	279	127	+152	205	116	100	105	16

Total findings — Aqua vs Trivy

Per repository

CVE overlap analysis

Shared · Aqua-only · Trivy-only

Severity distribution

All 3 repos combined

NodeGoat — severity

WebGoat — severity

juice-shop — severity

Triage funnel

279 raw findings → 48 things you actually need to do.

This is where Aqua's commercial metadata pays for itself. Using Reachability and Direct vs Transitive flags we eliminated 65% of the raw findings as not exploitable at runtime, ending with a 48-item action list — an 83% reduction in noise. Open-source scanners give you the long list; Aqua gives you the short one.

From raw to actionable

Aqua's Reachability + Direct flags applied to 279 raw findings

Raw findings

279

Reach = No

182

65% likely FP

Reach = Yes

Actionable

Direct + Reach=Yes

Repository	Raw	Reach=No (FP)	Reach=Yes	Actionable	Noise reduction
NodeGoat	116	103 (89%)	13	7	−94%
WebGoat	57	14 (25%)	43	25	−56%
juice-shop	106	65 (61%)	41	16	−85%
Total	279	182 (65%)	97	48	−83%

Triage funnel — per repo

Raw → Reach=Yes → Actionable

FP-filtering capability

Triage metadata each tool exposes

Feature	Aqua	Trivy OSS
Reachability analysis	✓ Yes	✗ No
Direct vs Transitive flag	✓ Yes	✗ No
EPSS score	✓ Yes	✗ No
Vendor Fix flag	✓ Yes	~ status only
Missing CVSS score	0	32
Duplicate CVE × version	74	11
Status: affected, no fix	7	3

Vulnerability drill-down

The 48 findings, by name.

Per-CVE detail — package, vulnerable version, fix version, EPSS exploit-probability score, and our triage recommendation. Request access below to view the full drill-down: NodeGoat (7 actions), WebGoat (25 actions — 24 in a single XStream upgrade), juice-shop (16 actions across jsonwebtoken / multer).

WebGoat — Actionable findings (25)

24 of 25 resolve with a single XStream upgrade

Severity	CVE	Package	Version	Fix	EPSS
Critical	CVE-2013-7285	xstream	1.4.5	1.4.7+	0.148
High	CVE-2021-39144	xstream	1.4.5	1.4.18	0.94 ⚡
High	CVE-2020-26217	xstream	1.4.5	1.4.14	0.93 ⚡
High	CVE-2021-29505	xstream	1.4.5	1.4.17	0.91 ⚡
High	CVE-2021-39141	xstream	1.4.5	1.4.18	0.82
High	CVE-2021-39152	xstream	1.4.5	1.4.18	0.62
High	+ 18 more findings…	xstream / spring-boot-actuator	—	—	—

juice-shop — Actionable findings (16)

jsonwebtoken and multer dominate

Severity	CVE	Package	Version	Fix
Critical	CVE-2015-9235	jsonwebtoken	0.4.0	4.2.2
Critical	CVE-2018-3745	jsonwebtoken	0.4.0	8.4.0
Critical	CVE-2020-15084	express-jwt	0.1.3	6.0.0

Get the full report.

The complete open-source drill-down — every Trivy CVE, every Semgrep finding, every Gitleaks detection across all three repos — will land in your inbox as a PDF within 30 seconds. Aqua Enterprise drill-down is available on a separate call.

Check your inbox.

The full report PDF is on its way to your email — should land within 30 seconds. If it doesn't show up, check your spam folder or write to sales@hub-sec.com.

Priority actions

Top 10 things we'd fix first.

Independent of which scanner found them, these are the ten remediations that close the largest blast radius across the three target repositories. Ordered by exploit probability and patch leverage (how many CVEs one upgrade closes).

#	Action	Repo	Impact
01	Upgrade XStream 1.4.5 → 1.4.21	WebGoat	RCE closes 24 CVEs in one bump
02	Upgrade thymeleaf-spring6	WebGoat	Critical 3 CVEs (CVE-2026-40477 / 40478 / 41901)
03	Upgrade Spring Security Web	WebGoat	Critical CVE-2026-22732
04	Parameterize SQL queries	juice-shop, WebGoat	High 17 SQLi findings (Semgrep)
05	Audit GitHub Actions for shell injection	juice-shop	Supply-chain RCE
06	Set HttpOnly / Secure cookie flags	NodeGoat, WebGoat	Session theft
07	Upgrade minimist, mixin-deep, set-value, bson	NodeGoat	Critical prototype pollution chain
08	Remove hardcoded JWT secret	juice-shop	Token forgery
09	Remove unsafe object deserialization points	WebGoat	RCE
10	Verify AWS tokens (lab fixture vs real key?)	WebGoat	Cloud compromise

Net effect of the first three actions: 30+ HIGH/CRITICAL CVEs closed by three package upgrades. The same finding count would take weeks to remediate one-by-one without the grouping that triage metadata enables.

Methodology

How the benchmark was run.

All scans were executed on 2026-05-12 against the public main branches of the three target repos. Open-source tools were run locally with default rule packs. Aqua Enterprise scans were executed via the Aqua Console and exported as CSV on 2026-05-13.

Trivy 0.70.0

Dependency CVE scan

Lockfile-based dependency scanning. Strong on new CVEs, requires package-lock.json / pom.xml for accurate results.

Semgrep

SAST — code-level findings

Pattern-based static analysis. SQL injection, hardcoded secrets, unsafe deserialization. Default ruleset (p/default).

Gitleaks

Secret detection

Repo-wide search for committed credentials. High recall, high false-positive rate on test fixtures.

npm-audit

Node ecosystem advisories

Built-in npm advisory check. Resolves only npm-published vulnerabilities; misses GHSA / NSWG entries.

Aqua Enterprise

Commercial · multi-source

NSWG + GHSA + vendor feeds, EPSS scoring, Reachability + Direct/Transitive metadata for triage. Range-based resolution from package.json without a lockfile.

Reproducibility: raw JSON outputs from every scan tool are archived at HubSec. We're happy to share the underlying dataset with researchers and customers running their own benchmark — please use the contact form below.

Want this on your repositories?

We run benchmark assessments like this for any code base — yours or a fork — and produce a tailored prioritized action list. Open-source-only scans are free; Aqua Enterprise scans are part of a paid engagement.

Talk to our team