Sysdig
Cloud-native security and monitoring
Grype
Fast, comprehensive vulnerability scanner for containers and filesystems
Grype scans container images, OCI artifacts, and local filesystems to identify known vulnerabilities across OS packages and language ecosystems, integrating with Syft SBOMs for rapid, accurate results.
Overview
Overview
Grype is a command‑line tool that inspects container images, OCI archives, Singularity files, and local directories to surface known CVEs. It leverages extensive vulnerability databases and can match packages from major Linux distributions as well as language ecosystems such as Ruby, Java, JavaScript, Python, .NET, Go, PHP, and Rust. By accepting SBOMs generated by Syft, SPDX, or CycloneDX, Grype can accelerate scans and improve matching accuracy, while OpenVEX support lets users filter or augment results.
How to use
Install the binary via the provided script, Homebrew, Chocolatey, or MacPorts, then run grype or grype dir: to scan. Use --scope all-layers to include every layer, or feed an SBOM directly (grype sbom:./sbom.json). The tool works on macOS and Linux, can pull images from registries without a Docker daemon, and integrates with CI pipelines through a dedicated GitHub Action, making automated security checks straightforward.
Highlights
Scans Docker, OCI, and Singularity images directly
Detects vulnerabilities in major Linux distros and popular language package managers
Supports SBOM input (Syft, SPDX, CycloneDX) for faster analysis
OpenVEX integration for result filtering and augmentation
Pros
- Broad OS and language coverage
- Multiple image source formats supported
- Easy binary and package manager installation
- CI/CD ready with GitHub Action
Considerations
- Limited to macOS and Linux binaries
- No native Windows support
- Relies on external vulnerability databases for updates
- Advanced configuration may require manual tuning
Managed products teams compare with
When teams consider Grype, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Fit guide
Great for
- Security engineers needing quick container vulnerability assessments
- DevOps pipelines that require automated scanning
- Teams using Syft-generated SBOMs for continuous monitoring
- Open-source projects aiming for transparent security testing
Not ideal when
- Windows‑only environments lacking Linux/macOS runtime
- Organizations requiring integrated remediation suggestions
- Users needing real‑time scanning of running containers without pulling images
- Projects that need a commercial SLA without third‑party support
How teams use it
CI pipeline image validation
Automatically fail builds when newly introduced CVEs are detected in container images.
SBOM‑driven periodic scans
Re‑scan stored SBOMs to catch vulnerability disclosures without rebuilding images.
Local filesystem audit
Identify vulnerable packages in host directories or extracted image layers for compliance checks.
Multi‑registry image assessment
Pull images from private registries and scan them without needing a local Docker daemon.
Tech snapshot
Go97%
Shell2%
Makefile1%
Python1%
Dockerfile1%
Ruby1%
Frequently asked questions
Can Grype scan images without Docker installed?
Yes, it can pull directly from registries, read OCI archives, or scan tarballs and Singularity files without a Docker daemon.
What SBOM formats are supported?
Grype accepts Syft JSON, SPDX, and CycloneDX SBOMs.
Is there a way to verify the downloaded binary?
Yes, verify signatures with cosign and compare SHA256 checksums as described in the documentation.
Does Grype provide remediation guidance?
No, Grype reports known vulnerabilities but does not suggest fixes; remediation must be handled separately.
Project at a glance
Active- Stars
- 11,391
- Watchers
- 11,391
- Forks
- 730
LicenseApache-2.0
Repo age5 years old
Last commityesterday
Primary languageGo
Last synced yesterday