grype
by anchore
Grype is a powerful vulnerability scanner designed to detect known security issues in container images and filesystems.
A vulnerability scanner for container images and filesystems
Primary Use Case
Grype is primarily used by DevSecOps teams and security professionals to scan container images and filesystems for known vulnerabilities, helping to ensure secure software deployments. It integrates well with software supply chain workflows to identify and manage risks before production deployment.
- Scans container images and filesystems for known vulnerabilities
- Supports major OS packages including Alpine, Debian, Ubuntu, Red Hat, and more
- Detects vulnerabilities in language-specific packages like Ruby Gems, Java, JavaScript, Python, Dotnet, Golang, PHP, and Rust
- Compatible with Docker, OCI, and Singularity image formats
- Integration with Syft for generating Software Bill of Materials (SBOM)
- Supports OpenVEX for filtering and augmenting vulnerability scan results
- Active community with regular meetings and commercial support options
Installation
- Run the installation script via curl: curl -sSfL https://get.anchore.io/grype | sudo sh -s ...
Usage
>_ grype <image-name>Scan a container image for vulnerabilities
>_ grype <filesystem-path>Scan a local filesystem path for vulnerabilities
- Integrate Grype into CI/CD pipelines to automate vulnerability detection before deployment.
- Combine Grype with Syft-generated SBOMs to enhance software supply chain security and compliance.
- Use OpenVEX support to filter out false positives and prioritize actionable vulnerabilities.
- Leverage Grype's container scanning to enforce security gates in DevSecOps workflows.
- Employ Grype in purple team exercises to simulate attacker reconnaissance and improve detection capabilities.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about grype. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
trivy
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
oss-fuzz
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.