Introduction
Grype scans container images and filesystems for known vulnerabilities by matching installed packages against CVE databases. It is the vulnerability scanner companion to Syft (SBOM generator), both created by Anchore. Together, they form a complete container security pipeline.
With over 12,000 GitHub stars, Grype provides fast, accurate vulnerability scanning that integrates into CI/CD pipelines. It supports OS packages (Alpine, Debian, RHEL), language packages (npm, pip, gem, Maven), and binary scanning.
What Grype Does
Grype analyzes the software inventory of a container image (or filesystem) and checks each package against multiple vulnerability databases: the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and OS-specific databases. It reports CVEs with severity ratings and fix versions.
Architecture Overview
[Container Image / Filesystem]
|
[Grype Scanner (Go)]
|
[Package Detection]
OS packages (apt, apk, rpm)
Language packages (npm, pip, gem)
Binary analysis
|
[Vulnerability Matching]
+-------+-------+-------+
| | | |
[NVD] [GHSA] [OS-specific]
CVE GitHub Alpine, Debian,
database Security RHEL, Ubuntu
Advisories advisories
|
[Results]
CVE ID, severity, fix version
JSON, Table, CycloneDX, SARIFSelf-Hosting & Configuration
# Common scanning patterns
# Scan and fail on critical/high vulns (for CI)
grype myapp:latest --fail-on high
# Show only vulnerabilities with fixes available
grype myapp:latest --only-fixed
# Output as JSON for processing
grype myapp:latest -o json > vulns.json
# Output SARIF for GitHub Security
grype myapp:latest -o sarif > results.sarif
# Scan with SBOM input (faster, reusable)
syft myapp:latest -o json > sbom.json
grype sbom:sbom.json
# Ignore specific CVEs
cat > .grype.yaml << EOF
ignore:
- vulnerability: CVE-2023-12345
reason: "Not exploitable in our configuration"
- vulnerability: CVE-2023-67890
fix-state: wont-fix
EOF
grype myapp:latestKey Features
- Image Scanning — scan Docker/OCI images from registries or local
- Filesystem Scanning — scan project directories for vulnerable dependencies
- SBOM Input — accept Syft SBOMs for faster repeated scanning
- Multiple Databases — NVD, GHSA, and OS-specific advisories
- Fix Guidance — shows which version fixes each vulnerability
- CI/CD Gate — fail builds on configurable severity thresholds
- Ignore Rules — suppress known false positives or accepted risks
- Multiple Formats — table, JSON, CycloneDX, SARIF output
Comparison with Similar Tools
| Feature | Grype | Trivy | Snyk Container | Docker Scout |
|---|---|---|---|---|
| Open Source | Yes | Yes | Partial | No |
| Image Scanning | Yes | Yes | Yes | Yes |
| IaC Scanning | No | Yes | Yes | No |
| License Scanning | No | Yes | Yes | No |
| SBOM Generation | Syft (companion) | Built-in | No | Built-in |
| Speed | Fast | Fast | Moderate | Fast |
| CI Integration | CLI + SARIF | CLI + SARIF | CLI + SaaS | Docker Desktop |
| Best For | Container vulns | All-in-one | Enterprise | Docker users |
FAQ
Q: Grype vs Trivy — which should I use? A: Trivy is an all-in-one scanner (containers, IaC, secrets, licenses). Grype focuses specifically on vulnerability scanning with deep accuracy. Use Trivy for breadth, Grype + Syft for depth in container security.
Q: How do I use Grype in CI/CD? A: Run "grype myapp:latest --fail-on critical" in your pipeline. It exits with code 1 if vulnerabilities at or above the threshold are found. Use SARIF output for GitHub Security tab.
Q: What is the relationship between Grype and Syft? A: Syft generates SBOMs (Software Bill of Materials) — it lists all packages in an image. Grype scans for vulnerabilities. Use Syft to generate an SBOM once, then scan it with Grype multiple times as new CVEs are published.
Q: How often is the vulnerability database updated? A: Grype auto-updates its database on each run (configurable). Databases are typically updated multiple times per day as new CVEs are published.
Sources
- GitHub: https://github.com/anchore/grype
- Documentation: https://github.com/anchore/grype#readme
- Created by Anchore
- License: Apache-2.0