Safeguard
Container Security

Top container security tools to evaluate

Comparing Safeguard and Mend.io on the dimensions that actually matter for container security: scanning engine transparency, air-gapped support, registry coverage, and product origin.

Karan Patel
Cloud Security Engineer
8 min read

Container security tooling has matured well past a single Trivy or Grype scan bolted onto a CI pipeline. Teams now need image scanning, SBOM generation, registry coverage across multiple clouds, offline or air-gapped support for regulated environments, and a scanning engine they can actually inspect rather than trust blindly. Mend.io — formerly WhiteSource, rebranded in 2022 — is one of the more established names buyers put on their shortlist, built originally around software composition analysis (SCA) and open source license compliance before extending into container and image scanning. Safeguard approaches the problem from the opposite direction: an offline-capable CLI scanner built on transparent, widely audited open source engines, paired with SBOM generation, multi-registry integrations, and a public vulnerability database anyone can query before signing a contract. This post compares Safeguard and Mend.io on concrete, verifiable dimensions — engine transparency, air-gapped workflows, registry coverage, and product origin — so you can evaluate both on capability rather than marketing copy.

What Should You Look For in a Container Security Tool?

Before comparing vendors, it helps to fix the criteria. A container security tool that's actually usable in production needs to answer a few concrete questions:

  • Engine transparency — is the scanning logic built on inspectable, well-known open source detection engines, or a fully proprietary black box?
  • Deployment flexibility — can it run fully offline or air-gapped, or does it require a persistent connection to a SaaS backend?
  • Registry and ecosystem coverage — which image registries, source control platforms, and package ecosystems does it actually support today?
  • SBOM output — does it produce a standard, exportable software bill of materials, or just a dashboard?
  • Origin and architecture — was container/image scanning built in from day one, or bolted onto a platform designed for something else?

The rest of this post walks Safeguard and Mend.io through each of these, being explicit about what's independently verifiable versus what you should confirm directly with either vendor during a proof of concept.

Safeguard vs. Mend.io: How Transparent Is the Scanning Engine?

Safeguard's CLI scanner is built on established open source scanning engines — Grype, Trivy, and gitleaks — rather than a closed, proprietary detector. That matters for two practical reasons: the detection logic and CVE feed behavior of those engines are publicly documented and auditable by any security team, and their release notes, known limitations, and false-positive patterns are discussed openly in public issue trackers rather than locked behind a vendor's support portal. If your compliance program cares about being able to explain why a finding fired, that reproducibility is a meaningful property.

Mend.io, by contrast, has historically maintained its own proprietary vulnerability database and detection engine — a natural extension of its origins as WhiteSource, a commercial SCA vendor that built dependency and license analysis in-house rather than on top of community tooling. Neither model is inherently better: a proprietary database can mean earlier or more curated vulnerability data, while an open engine means auditability and no lock-in to one vendor's research pipeline. But they are genuinely different starting points, and it's worth asking Mend directly how much of their container scanning shares engine internals with their core SCA product, since that detail isn't something you can verify from outside the platform.

Does It Support Air-Gapped and CLI-First Workflows?

Safeguard's CLI scanner is designed to run offline: it uses a device-authorization flow (the OAuth 2.0 Device Authorization Grant, RFC 8628) so a workstation or build agent can authenticate without ever holding a long-lived credential, then caches short-lived tokens locally and runs scans without a live round-trip to a SaaS backend for every check. It supports serve, listen, and runner modes, so the same binary works for an interactive developer scan, a long-running local service, or a CI job — a meaningful distinction for teams operating in regulated, disconnected, or on-prem environments.

Mend.io is primarily consumed as a cloud/SaaS platform integrated into CI/CD pipelines and source control. That's a perfectly reasonable model for most SaaS-native engineering organizations, but if your evaluation criteria specifically require a fully disconnected, air-gapped scan path — common in defense, critical infrastructure, or highly regulated on-prem environments — that's a question to put directly to Mend's sales engineering team rather than assume either way. Public documentation on the depth of their offline or on-prem deployment options is limited enough that we won't assert a specific answer here.

How Broad Is Registry and Ecosystem Coverage?

Safeguard's SCM and registry integration layer connects to GitHub, GitLab, Bitbucket, Amazon ECR, and Google Container Registry, and generates SBOMs as part of the same pipeline that feeds vulnerability enrichment. Underneath that, a dedicated crawler indexes open source packages across 17-plus ecosystems into a continuously updated, publicly queryable database — so you can look up a package or CVE before you've installed any tooling at all, which is a useful way to sanity-check coverage claims for any vendor, including Mend.io.

Mend.io is widely recognized for broad language and package-manager coverage in its core SCA product, which is where the platform's roots as WhiteSource run deepest. When you're specifically evaluating container and image scanning rather than source-dependency scanning, ask for the current list of supported image registries and base-image formats — registry breadth for images is a distinct capability from dependency-manifest coverage, and the two numbers don't automatically move together for any vendor.

SCA-First or Container-Native — Where Did Each Platform Start?

This is the dimension that most explains the differences above. Mend.io's lineage traces back to WhiteSource, a platform built around scanning source repositories for open source dependencies, flagging license risk, and surfacing known vulnerabilities in third-party packages. Container and image scanning were added to that foundation over time as the market's needs shifted toward Kubernetes and containerized deployments. That history isn't a knock — SCA-first vendors often bring mature dependency-graph analysis — but it's a legitimate reason to ask how tightly a vendor's container scanning module is integrated with its core product versus operating as a parallel capability bolted on afterward.

Safeguard was built with container and software-supply-chain scanning as a first-class use case from the start: the offline CLI scanner, SBOM generation, and CI/CD pipeline hooks aren't an add-on module bolted onto a dependency-scanning product — they're the core architecture. If your primary workload is container images rather than source-code dependency graphs, it's worth weighing which platform treats that as its native design center versus an extension.

Is Vulnerability Data Something You Can Check Yourself?

One underrated evaluation step: can you verify a vendor's vulnerability or package data without buying anything? Safeguard publishes a public, no-auth CVE and open source package search covering 17-plus ecosystems, so you can look up how a specific package or vulnerability is represented before you ever talk to sales. That's a low-effort way to spot-check data freshness and coverage claims for any tool on your shortlist — run the same package or CVE through Safeguard's public search and through Mend.io's own documentation or trial, and compare what comes back. We'd encourage doing this with any vendor, including us — verifiable data beats a slide deck every time.

How Safeguard Helps

If you're building a shortlist for "best container security tools," here's what Safeguard specifically brings to the evaluation:

  • Transparent scanning engine — the CLI scanner runs on Grype, Trivy, and gitleaks, so detection logic is auditable rather than opaque, and you can trace a finding back to a well-documented open source project.
  • Offline-first architecture — device-authorization login (RFC 8628), locally cached short-lived tokens, and serve/listen/runner modes mean scans can run in air-gapped or disconnected environments, not just inside a SaaS pipeline.
  • SBOM generation built in — software bills of materials are produced as part of the standard scan flow, not a separate paid module.
  • Multi-registry, multi-SCM coverage — native integrations with GitHub, GitLab, Bitbucket, Amazon ECR, and Google Container Registry, feeding a pipeline with dozens of vulnerability enrichers.
  • A public way to verify us — our CVE and open source package search is free and requires no login, so you can check our data quality before you evaluate anything else.

The honest recommendation for any Safeguard-versus-Mend.io evaluation is to run both through the same real workload: your actual container images, your actual registries, and your actual air-gapped or CI constraints. Vendor comparisons are useful for narrowing a shortlist, but the dimensions that matter most — engine transparency, offline support, and registry coverage — are ones you can and should test yourself before committing.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.