# Grype — Container Image Vulnerability Scanner > Grype is a vulnerability scanner for container images and filesystems. It matches installed packages against vulnerability databases (CVE, GHSA) to identify known security issues — essential for securing your container supply chain. ## Install Save in your project root: # Grype — Container Image Vulnerability Scanner ## Quick Use ```bash # Install Grype curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Or: brew install grype # Scan a container image grype nginx:latest # Scan with severity filter grype node:20 --only-fixed --fail-on high # Scan a local directory grype dir:/path/to/project # Scan an SBOM (from Syft) syft node:20 -o json > sbom.json grype sbom:sbom.json ``` ## Introduction Grype scans container images and filesystems for known vulnerabilities by matching installed packages against CVE databases. It is the vulnerability scanner companion to Syft (SBOM generator), both created by Anchore. Together, they form a complete container security pipeline. With over 12,000 GitHub stars, Grype provides fast, accurate vulnerability scanning that integrates into CI/CD pipelines. It supports OS packages (Alpine, Debian, RHEL), language packages (npm, pip, gem, Maven), and binary scanning. ## What Grype Does Grype analyzes the software inventory of a container image (or filesystem) and checks each package against multiple vulnerability databases: the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and OS-specific databases. It reports CVEs with severity ratings and fix versions. ## Architecture Overview ``` [Container Image / Filesystem] | [Grype Scanner (Go)] | [Package Detection] OS packages (apt, apk, rpm) Language packages (npm, pip, gem) Binary analysis | [Vulnerability Matching] +-------+-------+-------+ | | | | [NVD] [GHSA] [OS-specific] CVE GitHub Alpine, Debian, database Security RHEL, Ubuntu Advisories advisories | [Results] CVE ID, severity, fix version JSON, Table, CycloneDX, SARIF ``` ## Self-Hosting & Configuration ```bash # Common scanning patterns # Scan and fail on critical/high vulns (for CI) grype myapp:latest --fail-on high # Show only vulnerabilities with fixes available grype myapp:latest --only-fixed # Output as JSON for processing grype myapp:latest -o json > vulns.json # Output SARIF for GitHub Security grype myapp:latest -o sarif > results.sarif # Scan with SBOM input (faster, reusable) syft myapp:latest -o json > sbom.json grype sbom:sbom.json # Ignore specific CVEs cat > .grype.yaml << EOF ignore: - vulnerability: CVE-2023-12345 reason: "Not exploitable in our configuration" - vulnerability: CVE-2023-67890 fix-state: wont-fix EOF grype myapp:latest ``` ## Key Features - **Image Scanning** — scan Docker/OCI images from registries or local - **Filesystem Scanning** — scan project directories for vulnerable dependencies - **SBOM Input** — accept Syft SBOMs for faster repeated scanning - **Multiple Databases** — NVD, GHSA, and OS-specific advisories - **Fix Guidance** — shows which version fixes each vulnerability - **CI/CD Gate** — fail builds on configurable severity thresholds - **Ignore Rules** — suppress known false positives or accepted risks - **Multiple Formats** — table, JSON, CycloneDX, SARIF output ## Comparison with Similar Tools | Feature | Grype | Trivy | Snyk Container | Docker Scout | |---|---|---|---|---| | Open Source | Yes | Yes | Partial | No | | Image Scanning | Yes | Yes | Yes | Yes | | IaC Scanning | No | Yes | Yes | No | | License Scanning | No | Yes | Yes | No | | SBOM Generation | Syft (companion) | Built-in | No | Built-in | | Speed | Fast | Fast | Moderate | Fast | | CI Integration | CLI + SARIF | CLI + SARIF | CLI + SaaS | Docker Desktop | | Best For | Container vulns | All-in-one | Enterprise | Docker users | ## FAQ **Q: Grype vs Trivy — which should I use?** A: Trivy is an all-in-one scanner (containers, IaC, secrets, licenses). Grype focuses specifically on vulnerability scanning with deep accuracy. Use Trivy for breadth, Grype + Syft for depth in container security. **Q: How do I use Grype in CI/CD?** A: Run "grype myapp:latest --fail-on critical" in your pipeline. It exits with code 1 if vulnerabilities at or above the threshold are found. Use SARIF output for GitHub Security tab. **Q: What is the relationship between Grype and Syft?** A: Syft generates SBOMs (Software Bill of Materials) — it lists all packages in an image. Grype scans for vulnerabilities. Use Syft to generate an SBOM once, then scan it with Grype multiple times as new CVEs are published. **Q: How often is the vulnerability database updated?** A: Grype auto-updates its database on each run (configurable). Databases are typically updated multiple times per day as new CVEs are published. ## Sources - GitHub: https://github.com/anchore/grype - Documentation: https://github.com/anchore/grype#readme - Created by Anchore - License: Apache-2.0 --- Source: https://tokrepo.com/en/workflows/87aec817-372b-11f1-9bc6-00163e2b0d79 Author: AI Open Source