Grype is a fast, open-source vulnerability scanner for container images and filesystems from Anchore. With 11.5k GitHub stars and 137 contributors, it has become one of the most popular container security tools in the open-source ecosystem.
It identifies known vulnerabilities in operating system packages and application dependencies by matching against multiple vulnerability databases.
Designed for both local development and CI/CD integration, Grype provides quick feedback without requiring complex infrastructure.
What is Anchore Grype?
Grype scans container images, filesystems, and SBOMs to find packages with known security vulnerabilities.
It supports major Linux distributions (Debian, Ubuntu, RHEL, Alpine) and application package managers (npm, pip, gem, cargo, go modules).
The scanner pulls vulnerability data from NVD, GitHub Security Advisories, and distribution-specific feeds.
As part of the Anchore open-source ecosystem, Grype integrates with Syft for SBOM generation.
You can generate an SBOM with Syft once and scan it repeatedly with Grype as vulnerability databases update.
This separation allows efficient scanning workflows where image analysis and vulnerability matching happen independently.
Key Features
Fast Container Image Scanning
Grype analyzes container images directly from registries, local Docker daemons, or exported archives.
The scanner identifies all packages in an image and matches them against vulnerability databases in seconds.
Multiple Vulnerability Sources
Grype aggregates vulnerability data from multiple sources including NVD, GitHub Advisories, Alpine SecDB, Debian Security Tracker, Ubuntu Security, and Red Hat Security Data.
This comprehensive coverage catches vulnerabilities regardless of package origin.
SBOM-Based Analysis
Rather than rescanning images, Grype can analyze SBOMs generated by Syft or other tools supporting CycloneDX and SPDX formats.
This enables efficient vulnerability management where SBOMs are stored and rescanned as new vulnerabilities emerge.
Filesystem and Directory Scanning
Beyond containers, Grype scans local directories and filesystems.
This works well for scanning application dependencies in development environments or build artifacts before containerization.
Flexible Output Formats
Grype outputs results in table format for human reading, JSON for programmatic processing, or SARIF for integration with GitHub Security and other code analysis platforms.
Custom templates allow tailored reporting.
Installation
Install Grype using common package managers or direct download:
# Install via Homebrew (macOS/Linux)
brew install grype
# Install via script (Linux/macOS)
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Install via Docker
docker pull anchore/grype:latest
Run scans from the command line:
# Scan container image from registry
grype alpine:latest
# Scan local Docker image
grype docker:myapp:v1.0
# Scan image archive
grype docker-archive:./image.tar
# Scan filesystem directory
grype dir:/path/to/project
# Scan SBOM file
grype sbom:./sbom.json
# Fail on high or critical vulnerabilities
grype alpine:latest --fail-on high
# Output in SARIF format
grype alpine:latest -o sarif > results.sarif
Working with Syft
Combine Grype with Syft for efficient SBOM-based workflows:
# Install Syft
brew install syft
# Generate SBOM from container image
syft alpine:latest -o cyclonedx-json > sbom.json
# Scan the generated SBOM
grype sbom:./sbom.json
# Generate and scan in one pipeline
syft alpine:latest -o cyclonedx-json | grype
CI/CD Integration
GitHub Actions
name: Container Vulnerability Scan
on: [push, pull_request]
jobs:
grype-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build container image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan image with Grype
uses: anchore/scan-action@v4
id: scan
with:
image: myapp:${{ github.sha }}
fail-build: true
severity-cutoff: high
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
GitLab CI
grype-scan:
image: anchore/grype:latest
stage: security
variables:
GRYPE_DB_AUTO_UPDATE: "true"
script:
- grype docker:${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
--fail-on high
-o sarif > gl-container-scanning-report.sarif
artifacts:
reports:
container_scanning: gl-container-scanning-report.sarif
Jenkins Pipeline
pipeline {
agent any
stages {
stage('Build Image') {
steps {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
}
}
stage('Vulnerability Scan') {
steps {
sh '''
grype docker:myapp:${BUILD_NUMBER} \
--fail-on critical \
-o json > grype-results.json
'''
}
}
}
post {
always {
archiveArtifacts artifacts: 'grype-results.json'
}
}
}
Configuration
Create a .grype.yaml configuration file:
# Fail on vulnerabilities of this severity or higher
fail-on-severity: high
# Ignore specific vulnerabilities
ignore:
- vulnerability: CVE-2021-12345
package:
name: openssl
version: 1.1.1k
- vulnerability: GHSA-xxxx-yyyy-zzzz
# Use only specific vulnerability sources
db:
cache-dir: ~/.cache/grype/db
update-url: https://toolbox-data.anchore.io/grype/databases/listing.json
max-allowed-built-age: 120h
When to Use Grype
Grype excels as a lightweight, fast scanner for container security in CI/CD pipelines.
Its single-binary distribution and minimal dependencies make it easy to integrate anywhere Docker images are built.
The SBOM-based workflow with Syft enables efficient vulnerability management at scale.
Choose Grype when you need quick container vulnerability scanning without the overhead of a full security platform.
It pairs well with tools like Trivy for IaC scanning and Dependency-Track for SBOM management, creating a comprehensive open-source security stack.
For teams wanting a commercial platform with policy management and enterprise features, consider Snyk Container or Anchore Enterprise.
If you need runtime container security beyond static scanning, tools like Falco or Sysdig complement Grype’s pre-deployment focus.