mkdocs: add comparison nav

docs/mkdocs/comparison/anchore.md

@@ -0,0 +1,5 @@
+Similar to Clair, there is a difference in detection accuracy on Alpine Linux.
+Then, as noted above, `Anchore Engine` does not detect unfixable vulnerabilities on RHEL/CentOS, whereas `Trivy` does.
+
+Also, `Anchore Engine` needs some steps to start scanning.
+`Trivy` is much easier to use.

docs/mkdocs/comparison/clair.md

@@ -0,0 +1,33 @@
+[Clair][clair] uses [alpine-secdb][alpine-secdb].
+However, the purpose of this database is to make it possible to know what packages has backported fixes.
+As README says, it is not a complete database of all security issues in Alpine.
+
+`Trivy` collects vulnerability information in Alpine Linux from [Alpine Linux aports repository][aports].
+Then, those vulnerabilities will be saved on [vuln-list][vuln-list].
+
+`alpine-secdb` has 6959 vulnerabilities (as of 2019/05/12).
+`vuln-list` has 11101 vulnerabilities related to Alpine Linux (as of 2019/05/12).
+There is a difference in detection accuracy because the number of vulnerabilities is nearly doubled.
+
+In addition, `Trivy` analyzes the middle layers as well to find out which version of the library was used for static linking.
+
+`Clair` can not handle the following cases because it analyzes the image after applying all layers.
+
+```
+RUN apk add --no-cache sqlite-dev \
+ && wget https://xxx/yyy.tar.gz \
+ && tar zxvf yyy.tar.gz && cd yyy \
+ && make && make install \
+ && apk del sqlite-dev
+```
+
+And as many people know, it is difficult to select a `Clair` client because many clients are deprecated.
+
+Trivy is a stand-alone tool and can scan very fast. This means it's very easy to use in CI/CD.
+
+Finally, `Trivy` can also detect vulnerabilities in application dependent libraries such as Bundler, Composer, Pipenv, etc.
+
+[clair]: https://github.com/coreos/clair
+[alpine-secdb]: https://github.com/alpinelinux/alpine-secdb/
+[aports]: https://gitlab.alpinelinux.org/alpine/aports
+[vuln-list]: https://github.com/aquasecurity/vuln-list/tree/main/alpine

docs/mkdocs/comparison/index.md

@@ -0,0 +1,14 @@
+| Scanner        | OS<br>Packages  | Application<br>Dependencies | Easy to use  | Accuracy    | Suitable<br>for CI  |
+| -------------- | :-------------: | :-------------------------: | :----------: | :---------: | :-----------------: |
+| Trivy          |       ✅        |       ✅<br>(7 languages)   |    ⭐ ⭐ ⭐    |  ⭐ ⭐ ⭐    |      ⭐ ⭐ ⭐         |
+| Clair          |       ✅        |              ×              |      ⭐       |   ⭐ ⭐      |      ⭐ ⭐           |
+| Anchore Engine |       ✅        |       ✅<br>(4 languages)   |     ⭐ ⭐      |   ⭐ ⭐      |     ⭐ ⭐ ⭐         |
+| Quay           |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
+| Docker Hub     |       ✅        |              ×              |    ⭐ ⭐ ⭐    |    ⭐        |        ×            |
+| GCR            |       ✅        |              ×              |    ⭐ ⭐ ⭐    |   ⭐ ⭐      |        ×            |
+
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/

docs/mkdocs/comparison/quay_dockerhub_gcr.md

@@ -0,0 +1,3 @@
+As `Quay` uses `Clair` internally, it has the same accuracy as `Clair`. `Docker Hub` can scan only official images. `GCR` hardly detects vulnerabilities on Alpine Linux. Also, it is locked to a specific registry.
+
+`Trivy` can be used regardless of the registry, and it is easily integrated with CI/CD services.