Grype

Grype is a fast vulnerability scanner for container images and filesystems. Developed by Anchore, it provides quick vulnerability detection with support for multiple package formats.

What is Grype?

Grype scans:

Container images - Docker and OCI images
Filesystems - Directory scans
SBOMs - Software Bill of Materials files
Archives - Tarballs and other archives

Installing Grype

Using Homebrew

brew install grype

Using Binary

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Using Docker

docker run anchore/grype:latest image nginx:latest

Scanning Container Images

Basic Scan

grype nginx:latest

Scan with JSON Output

grype nginx:latest -o json

Scan Specific Severities

grype nginx:latest --only-fixed

Scanning Filesystems

grype dir:/path/to/directory

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run Grype
      uses: anchore/scan-action@v3
      with:
        image: "nginx:latest"
        fail-build: true
        severity-cutoff: "high"

Best Practices

Use in CI/CD - Integrate into build pipelines
Set severity thresholds - Focus on high and critical vulnerabilities
Cache databases - Speed up scans with caching
Combine with other tools - Use multiple scanners for coverage

Grype

What is Grype?

Installing Grype

Using Homebrew

Using Binary

Using Docker

Scanning Container Images

Basic Scan

Scan with JSON Output

Scan Specific Severities

Scanning Filesystems

CI/CD Integration

GitHub Actions

Best Practices

See Also