Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

Grype

What is the purpose of Grype?

Grype is an open-source command-line vulnerability scanner from Anchore used to find known vulnerabilities in container images, filesystems, SBOMs, archives, directories, individual files, package URLs, and CPEs. It matches discovered software inventory against the Grype vulnerability database and reports vulnerability IDs, severity, package details, fix availability, EPSS, risk, and match metadata.

Grype is useful because it can scan a container image directly, consume an SBOM generated by Syft, run in CI/CD pipelines, produce machine-readable reports, and fail builds based on vulnerability severity. It is commonly used for container security, dependency risk review, SBOM-based vulnerability management, and software supply-chain checks.

Note: Grype can generate an internal SBOM with Syft-like cataloging when scanning images or directories directly, but a common production pattern is to generate an SBOM with Syft first and then scan that SBOM with Grype. This makes inventory and vulnerability analysis easier to store, repeat, and compare.

Here are the primary uses of Grype:

  • Container Image Vulnerability Scanning: Grype scans operating system and language packages inside container images and reports known vulnerabilities with severity and fix information.

  • SBOM Vulnerability Analysis: The tool can scan Syft, CycloneDX, and SPDX-style SBOM workflows so vulnerability analysis can run after artifact inventory has been generated.

  • Filesystem and Archive Scanning: Grype can scan local directories, files, Docker archives, OCI archives, OCI directories, and Singularity images without requiring a live container.

  • CI/CD Security Gates: The tool can return exit code 2 when vulnerabilities at or above a selected severity are found, making it practical for build and release gates.

  • Result Filtering and Suppression: Grype supports fix-state filters, .grype.yaml ignore rules, VEX documents, suppressed result visibility, and CVE-oriented output.

  • Vulnerability Database Operations: The tool can update, check, list, import, delete, inspect, and search its vulnerability database.

  • Report Export: Grype can output table, JSON, CycloneDX, CycloneDX JSON, SARIF, and template reports for terminals, CI systems, code scanning tools, and dashboards.

Core Features

  • Container Image Vulnerability Scanning
  • Filesystem Vulnerability Scanning
  • SBOM Vulnerability Scanning
  • Docker Image Source Support
  • Podman Image Source Support
  • Registry Image Source Support
  • Docker Archive Support
  • OCI Archive Support
  • OCI Directory Support
  • Singularity Image Support
  • Directory Scanning
  • File Scanning
  • PURL Scanning
  • CPE Scanning
  • Syft JSON Input
  • Standard Input SBOM Input
  • Severity-Based CI Failure
  • Fix State Filtering
  • Only Fixed Vulnerability Filtering
  • Only Not-Fixed Vulnerability Filtering
  • .grype.yaml Ignore Rules
  • VEX Document Support
  • Suppressed Finding Display
  • CVE-Oriented Output
  • Distro Override
  • Platform Selection
  • Layer Scope Selection
  • Path Exclusion
  • JSON Output
  • SARIF Output
  • CycloneDX Output
  • Template Output
  • Vulnerability Database Update
  • Vulnerability Database Search
  • Vulnerability Explanation
  • Configuration File Support
  • Quiet and Verbose Modes

Data sources

  • Container Images
  • Docker Daemon Images
  • Podman Images
  • Registry Images
  • Docker Archive Tar Files
  • OCI Archive Tar Files
  • OCI Layout Directories
  • Singularity SIF Images
  • Local Directories
  • Local Files
  • Root Filesystems
  • Syft JSON SBOMs
  • CycloneDX SBOMs
  • SPDX SBOMs
  • Standard Input
  • Package URLs
  • CPE Identifiers
  • PURL Files
  • CPE Files
  • OS Package Databases
  • Language Package Manifests
  • Lockfiles
  • Vulnerability Databases
  • Vendor Advisories
  • NVD Data
  • GitHub Advisories
  • Fix State Metadata
  • VEX Documents
  • .grype.yaml Configuration
  • Grype Database Archives

Common Grype Commands

1. Install Grype with the Official Script

  • This command installs Grype as a single compiled executable.
curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

2. Install Grype with Homebrew

  • This command installs Grype on macOS or Linux using Homebrew.
brew install grype

3. Install Grype with Winget

  • This command installs Grype on Windows using Winget.
winget install Anchore.Grype

4. Check Grype Version

  • This command prints Grype version information.
grype version

5. Check Grype Version as JSON

  • This command prints version information in JSON format.
grype version -o json

6. Show Help

  • This command displays Grype commands and options.
grype --help

7. Scan a Container Image

  • This command scans a container image using Grype's default source behavior.
grype alpine:latest

8. Scan a Registry Image Directly

  • This command pulls image metadata from a registry without requiring a local container runtime.
grype registry:nginx:1.25

9. Scan a Docker Daemon Image

  • This command explicitly scans an image from the Docker daemon.
grype docker:nginx:1.25

10. Scan a Podman Image

  • This command explicitly scans an image from Podman.
grype podman:nginx:1.25

11. Scan a Local Directory

  • This command scans a local project directory.
grype dir:.

12. Scan a Directory Without an Explicit Scheme

  • This command scans a local path with automatic source detection.
grype ./app

13. Scan a Single File

  • This command scans one file as the target.
grype file:package-lock.json

14. Scan a Docker Archive

  • This command scans a tar archive created by docker save.
grype docker-archive:image.tar

15. Scan an OCI Archive

  • This command scans an OCI archive tar file.
grype oci-archive:image-oci.tar

16. Scan an OCI Directory

  • This command scans an OCI layout directory from disk.
grype oci-dir:path/to/oci-layout

17. Scan a Singularity Image

  • This command scans a Singularity Image Format file.
grype singularity:path/to/image.sif

18. Scan a Syft SBOM File

  • This command scans a Syft JSON SBOM from disk.
grype sbom:alpine.syft.json

19. Scan a CycloneDX SBOM File

  • This command scans an existing CycloneDX SBOM file.
grype sbom:alpine.cdx.json

20. Pipe Syft JSON into Grype

  • This command generates an SBOM and immediately scans it for vulnerabilities.
syft scan alpine:latest -o syft-json | grype

21. Scan a PURL File

  • This command scans package URLs listed one per line in a file.
grype purl:packages.purl

22. Scan a Single PURL

  • This command scans one package URL directly.
grype 'pkg:apk/alpine/openssl@3.2.1?distro=alpine-3.20.3'

23. Scan a CPE File

  • This command scans CPE identifiers listed one per line in a file.
grype cpes:packages.cpe

24. Scan a Single CPE

  • This command scans one CPE directly.
grype 'cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*:*:*'

25. Select a Container Platform

  • This command scans the selected platform variant of a multi-architecture image.
grype registry:nginx:1.25 --platform linux/amd64

26. Scan All Image Layers

  • This command analyzes all image layers instead of only the squashed final filesystem.
grype nginx:1.25 --scope all-layers

27. Use Deep Squashed Scope

  • This command uses deep squashed layer selection for analysis.
grype nginx:1.25 --scope deep-squashed

28. Exclude Paths

  • This command excludes matching paths from filesystem scanning.
grype dir:. --exclude "**/node_modules/**" --exclude "**/.git/**"

29. Override Distro Matching

  • This command forces Grype to match packages against a selected distribution context.
grype dir:rootfs --distro alpine:3.20

30. Generate JSON Output

  • This command prints JSON output.
grype alpine:latest -o json

31. Save JSON Output to a File

  • This command writes JSON output to a file.
grype alpine:latest -o json --file grype-results.json

32. Generate SARIF Output

  • This command writes SARIF output for code scanning systems.
grype alpine:latest -o sarif --file grype-results.sarif

33. Generate CycloneDX Output

  • This command prints a CycloneDX vulnerability report.
grype alpine:latest -o cyclonedx

34. Generate CycloneDX JSON Output

  • This command writes CycloneDX JSON output.
grype alpine:latest -o cyclonedx-json --file grype-vulns.cdx.json

35. Use a Template Output

  • This command renders results with a custom Go template.
grype alpine:latest -o template -t grype.tmpl

36. Fail CI on High or Critical Vulnerabilities

  • This command returns exit code 2 if high or critical vulnerabilities are found.
grype alpine:latest --fail-on high

37. Fail Only on Fixable High or Critical Vulnerabilities

  • This command combines severity gating with fix availability.
grype alpine:latest --fail-on high --only-fixed

38. Show Only Vulnerabilities with Fixes

  • This command filters out vulnerabilities that do not have a fix.
grype alpine:latest --only-fixed

39. Show Only Vulnerabilities Without Fixes

  • This command focuses on vulnerabilities that do not currently have fixes.
grype alpine:latest --only-notfixed

40. Ignore Selected Fix States

  • This command hides vulnerabilities with selected fix states.
grype alpine:latest --ignore-states wont-fix,not-fixed

41. Show Suppressed Findings

  • This command displays ignored or filtered findings in table output.
grype alpine:latest --only-fixed --show-suppressed

42. Use a VEX Document

  • This command filters vulnerability results with a VEX document.
grype alpine:latest --vex vex-report.json

43. Use Multiple VEX Documents

  • This command applies more than one VEX document.
grype alpine:latest --vex vex-1.json --vex vex-2.json

44. Orient Results by CVE

  • This command normalizes output around CVE IDs when possible.
grype alpine:latest --by-cve

45. Add CPEs When Missing

  • This command generates CPEs for packages that do not already have CPE data.
grype dir:. --add-cpes-if-none

46. Sort by Risk

  • This command sorts findings by Grype's risk score.
grype alpine:latest --sort-by risk

47. Sort by EPSS

  • This command prioritizes findings by EPSS score.
grype alpine:latest --sort-by epss

48. Sort by KEV

  • This command prioritizes findings using Known Exploited Vulnerabilities data when available.
grype alpine:latest --sort-by kev

49. Use a Configuration File

  • This command runs Grype with a selected configuration file.
grype alpine:latest --config .grype.yaml

50. Show Grype Configuration

  • This command prints Grype configuration.
grype config

51. Show Configuration Locations

  • This command shows the locations Grype checks for configuration files.
grype config locations

52. Load and Validate Configuration

  • This command loads and validates Grype configuration.
grype config --load

53. Run Quietly

  • This command suppresses logging output.
grype alpine:latest -q

54. Run with Debug Logging

  • This command increases verbosity for troubleshooting.
grype alpine:latest -vv

55. Check for Database Updates

  • This command checks whether a new vulnerability database is available.
grype db check

56. Update the Vulnerability Database

  • This command downloads and installs the latest vulnerability database.
grype db update

57. Show Database Status

  • This command prints database metadata and status.
grype db status

58. List Available Databases

  • This command lists available Grype vulnerability databases.
grype db list

59. List Database Providers

  • This command lists vulnerability providers included in the database.
grype db providers

60. Search the Database by Vulnerability

  • This command searches affected packages for a selected vulnerability ID.
grype db search --vuln CVE-2021-44228

61. Search the Database by Package

  • This command searches the vulnerability database for a package name.
grype db search --pkg log4j

62. Import a Database Archive

  • This command imports a local vulnerability database archive.
grype db import grype-db.tar.gz

63. Delete the Local Database

  • This command deletes the local vulnerability database.
grype db delete

64. Explain a Vulnerability

  • This command asks Grype to explain selected findings by vulnerability ID.
grype explain --id CVE-2021-44228

Output Examples

CommandDescriptionExample Output
grype versionShows version information.Application: grype
Version: 0.110.0
grype alpine:latestScans an image and prints default table output.NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS RISK
openssl 3.0.14 3.0.15 apk CVE-2024-0000 High 42.1% 31.2
grype sbom:alpine.syft.jsonScans an existing SBOM file.Loaded image SBOM
Vulnerabilities found: 12
syft scan alpine:latest -o syft-json | grypePipes a Syft SBOM directly into Grype.NAME INSTALLED TYPE VULNERABILITY SEVERITY
grype alpine:latest --fail-on highFails CI on high or critical findings.ERROR discovered vulnerabilities at or above the severity threshold
exit code: 2
grype alpine:latest --only-fixedShows only fixable vulnerabilities.apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical
grype alpine:latest --show-suppressedShows suppressed findings in table output.zlib 1.2.11-r1 apk CVE-2018-25032 High (suppressed)
grype alpine:latest -o json --file grype-results.jsonWrites JSON output.grype-results.json written
grype alpine:latest -o sarif --file grype-results.sarifWrites SARIF output.grype-results.sarif written
grype db statusShows database metadata.Status: valid
Built: 2026-05-28T...
grype db search --vuln CVE-2021-44228Searches the vulnerability database.log4j-core 2.0-beta9 - 2.15.0