ConfigsApr 13, 2026·3 min read

Grype — Container Image Vulnerability Scanner

Grype is a vulnerability scanner for container images and filesystems. It matches installed packages against vulnerability databases (CVE, GHSA) to identify known security issues — essential for securing your container supply chain.

AI
AI Open Source · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Or: brew install grype

# Scan a container image
grype nginx:latest

# Scan with severity filter
grype node:20 --only-fixed --fail-on high

# Scan a local directory
grype dir:/path/to/project

# Scan an SBOM (from Syft)
syft node:20 -o json > sbom.json
grype sbom:sbom.json

Introduction

Grype scans container images and filesystems for known vulnerabilities by matching installed packages against CVE databases. It is the vulnerability scanner companion to Syft (SBOM generator), both created by Anchore. Together, they form a complete container security pipeline.

With over 12,000 GitHub stars, Grype provides fast, accurate vulnerability scanning that integrates into CI/CD pipelines. It supports OS packages (Alpine, Debian, RHEL), language packages (npm, pip, gem, Maven), and binary scanning.

What Grype Does

Grype analyzes the software inventory of a container image (or filesystem) and checks each package against multiple vulnerability databases: the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and OS-specific databases. It reports CVEs with severity ratings and fix versions.

Architecture Overview

[Container Image / Filesystem]
        |
   [Grype Scanner (Go)]
        |
   [Package Detection]
   OS packages (apt, apk, rpm)
   Language packages (npm, pip, gem)
   Binary analysis
        |
   [Vulnerability Matching]
+-------+-------+-------+
|       |       |       |
[NVD]   [GHSA]  [OS-specific]
CVE     GitHub  Alpine, Debian,
database Security RHEL, Ubuntu
        Advisories advisories
        |
   [Results]
   CVE ID, severity, fix version
   JSON, Table, CycloneDX, SARIF

Self-Hosting & Configuration

# Common scanning patterns

# Scan and fail on critical/high vulns (for CI)
grype myapp:latest --fail-on high

# Show only vulnerabilities with fixes available
grype myapp:latest --only-fixed

# Output as JSON for processing
grype myapp:latest -o json > vulns.json

# Output SARIF for GitHub Security
grype myapp:latest -o sarif > results.sarif

# Scan with SBOM input (faster, reusable)
syft myapp:latest -o json > sbom.json
grype sbom:sbom.json

# Ignore specific CVEs
cat > .grype.yaml << EOF
ignore:
  - vulnerability: CVE-2023-12345
    reason: "Not exploitable in our configuration"
  - vulnerability: CVE-2023-67890
    fix-state: wont-fix
EOF
grype myapp:latest

Key Features

  • Image Scanning — scan Docker/OCI images from registries or local
  • Filesystem Scanning — scan project directories for vulnerable dependencies
  • SBOM Input — accept Syft SBOMs for faster repeated scanning
  • Multiple Databases — NVD, GHSA, and OS-specific advisories
  • Fix Guidance — shows which version fixes each vulnerability
  • CI/CD Gate — fail builds on configurable severity thresholds
  • Ignore Rules — suppress known false positives or accepted risks
  • Multiple Formats — table, JSON, CycloneDX, SARIF output

Comparison with Similar Tools

Feature Grype Trivy Snyk Container Docker Scout
Open Source Yes Yes Partial No
Image Scanning Yes Yes Yes Yes
IaC Scanning No Yes Yes No
License Scanning No Yes Yes No
SBOM Generation Syft (companion) Built-in No Built-in
Speed Fast Fast Moderate Fast
CI Integration CLI + SARIF CLI + SARIF CLI + SaaS Docker Desktop
Best For Container vulns All-in-one Enterprise Docker users

FAQ

Q: Grype vs Trivy — which should I use? A: Trivy is an all-in-one scanner (containers, IaC, secrets, licenses). Grype focuses specifically on vulnerability scanning with deep accuracy. Use Trivy for breadth, Grype + Syft for depth in container security.

Q: How do I use Grype in CI/CD? A: Run "grype myapp:latest --fail-on critical" in your pipeline. It exits with code 1 if vulnerabilities at or above the threshold are found. Use SARIF output for GitHub Security tab.

Q: What is the relationship between Grype and Syft? A: Syft generates SBOMs (Software Bill of Materials) — it lists all packages in an image. Grype scans for vulnerabilities. Use Syft to generate an SBOM once, then scan it with Grype multiple times as new CVEs are published.

Q: How often is the vulnerability database updated? A: Grype auto-updates its database on each run (configurable). Databases are typically updated multiple times per day as new CVEs are published.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Centrifugo — Scalable Real-Time Messaging Server

Centrifugo is a scalable real-time messaging server that adds live updates to any application. It handles WebSocket connections, scales horizontally with Redis or NATS, and provides a language-agnostic API — a self-hosted alternative to Pusher, Ably, and Socket.IO.

AI Open Source

Garnet — High-Performance Cache Store from Microsoft Research

Garnet is a remote cache-store from Microsoft Research that offers strong performance, scalability, and Redis protocol compatibility. Written in C#, it leverages .NET for cross-platform support and modern hardware optimization.

AI Open Source

OpenSearch — Community-Driven Search and Analytics Suite

OpenSearch is an open-source search and analytics suite forked from Elasticsearch 7.10. It provides full-text search, log analytics, observability, and security analytics — all under the Apache-2.0 license with no feature restrictions.

AI Open Source
Home🔍Search👤Me