Sysdig
Cloud-native security and monitoring
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Fast, comprehensive vulnerability scanner for containers and filesystems
Grype scans container images, OCI artifacts, and local filesystems to identify known vulnerabilities across OS packages and language ecosystems, integrating with Syft SBOMs for rapid, accurate results.
Grype is a command‑line tool that inspects container images, OCI archives, Singularity files, and local directories to surface known CVEs. It leverages extensive vulnerability databases and can match packages from major Linux distributions as well as language ecosystems such as Ruby, Java, JavaScript, Python, .NET, Go, PHP, and Rust. By accepting SBOMs generated by Syft, SPDX, or CycloneDX, Grype can accelerate scans and improve matching accuracy, while OpenVEX support lets users filter or augment results.
Install the binary via the provided script, Homebrew, Chocolatey, or MacPorts, then run grype or grype dir: to scan. Use --scope all-layers to include every layer, or feed an SBOM directly (grype sbom:./sbom.json). The tool works on macOS and Linux, can pull images from registries without a Docker daemon, and integrates with CI pipelines through a dedicated GitHub Action, making automated security checks straightforward.
When teams consider Grype, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
CI pipeline image validation
Automatically fail builds when newly introduced CVEs are detected in container images.
SBOM‑driven periodic scans
Re‑scan stored SBOMs to catch vulnerability disclosures without rebuilding images.
Local filesystem audit
Identify vulnerable packages in host directories or extracted image layers for compliance checks.
Multi‑registry image assessment
Pull images from private registries and scan them without needing a local Docker daemon.
Yes, it can pull directly from registries, read OCI archives, or scan tarballs and Singularity files without a Docker daemon.
Grype accepts Syft JSON, SPDX, and CycloneDX SBOMs.
Yes, verify signatures with cosign and compare SHA256 checksums as described in the documentation.
No, Grype reports known vulnerabilities but does not suggest fixes; remediation must be handled separately.
Project at a glance
ActiveLast synced 4 days ago