Is Grype — Container Image Vulnerability Scanner free to use?

Yes. Grype — Container Image Vulnerability Scanner is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Grype — Container Image Vulnerability Scanner?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

ConfigsApr 13, 2026·3 min read

Grype — Container Image Vulnerability Scanner

Grype is a vulnerability scanner for container images and filesystems. It matches installed packages against vulnerability databases (CVE, GHSA) to identify known security issues — essential for securing your container supply chain.

AI Open Source · Community

TL;DR

Grype matches packages in container images against CVE/GHSA databases to find known vulnerabilities instantly.

§01

What it is

Grype is a vulnerability scanner for container images and filesystems built by Anchore. It identifies installed packages in a container image and matches them against vulnerability databases including CVE (Common Vulnerabilities and Exposures) and GHSA (GitHub Security Advisories). Grype outputs a list of known vulnerabilities with severity ratings, affected versions, and fix versions when available.

Grype targets DevOps engineers, security teams, and developers who need to scan container images before deployment. It integrates into CI/CD pipelines as a gate to prevent deploying images with critical vulnerabilities.

§02

How it saves time or tokens

Manually checking package versions against vulnerability databases is impractical for containers with hundreds of installed packages. Grype automates this by scanning the image's SBOM (Software Bill of Materials) and cross-referencing every package against multiple vulnerability feeds. A full scan completes in seconds.

Grype works with Syft (also by Anchore) for SBOM generation, enabling a two-step workflow: generate the SBOM once with Syft, then scan it repeatedly with Grype as vulnerability databases update.

§03

How to use

Install Grype:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Scan a container image:

grype nginx:latest

Scan with severity filtering:

grype nginx:latest --fail-on critical

The --fail-on flag returns a non-zero exit code when vulnerabilities at or above the specified severity are found, making it ideal for CI/CD gates.

§04

Example

# Scan an image and output as JSON for further processing
grype alpine:3.19 -o json > scan-results.json

# Scan a local directory
grype dir:/path/to/project

# Scan an SBOM generated by Syft
syft nginx:latest -o spdx-json > sbom.json
grype sbom:sbom.json

# CI/CD pipeline gate
grype myapp:latest --fail-on high
if [ $? -ne 0 ]; then
  echo 'Vulnerabilities found. Blocking deployment.'
  exit 1
fi

§05

Related on TokRepo

Security tools -- Browse other security scanning and auditing tools
DevOps tools -- Explore container and infrastructure tools

§06

Common pitfalls

Grype's vulnerability database needs periodic updates. The first run downloads the database automatically, but stale databases miss recently disclosed vulnerabilities. Run grype db update regularly or set up automated updates in CI.
False positives are common with OS-level packages. Some reported vulnerabilities may not be exploitable in your context. Use Grype's ignore rules (.grype.yaml) to suppress known false positives after review.
Grype scans package metadata, not running code. It cannot detect vulnerabilities in custom application code or misconfigurations. Pair it with SAST and DAST tools for comprehensive security coverage.

Frequently Asked Questions

What is the difference between Grype and Trivy?+

Both are container vulnerability scanners. Grype focuses on vulnerability matching with a fast, lightweight design. Trivy by Aqua Security includes additional features like IaC scanning, secret detection, and license scanning. Grype pairs with Syft for SBOM generation, while Trivy generates SBOMs internally.

Can Grype scan images without pulling them?+

Yes. Grype can scan images from a registry without pulling the full image locally. It reads the image manifest and layer metadata directly from the registry. You can also scan local tar archives and OCI directories.

Does Grype work offline?+

Partially. Grype needs to download the vulnerability database at least once. After that, it can scan images offline using the cached database. You can pre-download and distribute the database for air-gapped environments.

What output formats does Grype support?+

Grype supports table (default terminal output), JSON, CycloneDX, SARIF, and template-based custom formats. The JSON and SARIF formats integrate with GitHub Security, GitLab, and other CI/CD platforms for automated vulnerability tracking.

How often is the vulnerability database updated?+

Grype's vulnerability database is updated multiple times per day from upstream sources including the National Vulnerability Database (NVD), GitHub Advisory Database, and distribution-specific feeds. Run grype db update to pull the latest data.

Citations (3)

Grype GitHub— Grype is a vulnerability scanner by Anchore
Grype Documentation— Matches against CVE and GHSA databases
Syft GitHub— Syft SBOM integration

Related on TokRepo

Security tools DevOps tools Self-hosted tools

Discussion

No comments yet. Be the first to share your thoughts.