Grype — Container Image Vulnerability Scanner

What it is

Grype is a vulnerability scanner for container images and filesystems built by Anchore. It identifies installed packages in a container image and matches them against vulnerability databases including CVE (Common Vulnerabilities and Exposures) and GHSA (GitHub Security Advisories). Grype outputs a list of known vulnerabilities with severity ratings, affected versions, and fix versions when available.

Grype targets DevOps engineers, security teams, and developers who need to scan container images before deployment. It integrates into CI/CD pipelines as a gate to prevent deploying images with critical vulnerabilities.

How it saves time or tokens

Manually checking package versions against vulnerability databases is impractical for containers with hundreds of installed packages. Grype automates this by scanning the image's SBOM (Software Bill of Materials) and cross-referencing every package against multiple vulnerability feeds. A full scan completes in seconds.

Grype works with Syft (also by Anchore) for SBOM generation, enabling a two-step workflow: generate the SBOM once with Syft, then scan it repeatedly with Grype as vulnerability databases update.

How to use

1. Install Grype:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

1. Scan a container image:

grype nginx:latest

1. Scan with severity filtering:

grype nginx:latest --fail-on critical

The --fail-on flag returns a non-zero exit code when vulnerabilities at or above the specified severity are found, making it ideal for CI/CD gates.

Example

# Scan an image and output as JSON for further processing
grype alpine:3.19 -o json > scan-results.json

# Scan a local directory
grype dir:/path/to/project

# Scan an SBOM generated by Syft
syft nginx:latest -o spdx-json > sbom.json
grype sbom:sbom.json

# CI/CD pipeline gate
grype myapp:latest --fail-on high
if [ $? -ne 0 ]; then
  echo 'Vulnerabilities found. Blocking deployment.'
  exit 1
fi

Related on TokRepo

• Security tools -- Browse other security scanning and auditing tools
• DevOps tools -- Explore container and infrastructure tools

Common pitfalls

• Grype's vulnerability database needs periodic updates. The first run downloads the database automatically, but stale databases miss recently disclosed vulnerabilities. Run grype db update regularly or set up automated updates in CI.
• False positives are common with OS-level packages. Some reported vulnerabilities may not be exploitable in your context. Use Grype's ignore rules (.grype.yaml) to suppress known false positives after review.
• Grype scans package metadata, not running code. It cannot detect vulnerabilities in custom application code or misconfigurations. Pair it with SAST and DAST tools for comprehensive security coverage.