One use case using trivy is in a CI/CD pipeline; fail container builds that have issues to begin with.

Whereas container scanning in ECR, who knows when someone will actually fix the issue.

There’s a fix for this. Assign production “visas” to specific image builds. The visa has a clear start and end date and can be renewed if evidence is provided that no security issues above a defined threshold are present.

That said, I really like Trivy. It has native output template support meaning you can plug it in where licensing gets trick (looking at you, Palo Alto Networking).