Grype - Container Vulnerability Scanner

A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Features

Scan the contents of a container image or filesystem to find known vulnerabilities.
Find vulnerabilities for major operating system packages:

• Alpine
• Amazon Linux
• BusyBox
• CentOS
• CBL-Mariner
• Debian
• Distroless
• Oracle Linux
• Red Hat (RHEL)
• Ubuntu
• Wolfi

Find vulnerabilities for language-specific packages:

• Ruby (Gems)
• Java (JAR, WAR, EAR, JPI, HPI)
• JavaScript (NPM, Yarn)
• Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
• Dotnet (deps.json)
• Golang (go.mod)
• PHP (Composer)
• Rust (Cargo)
• Supports Docker, OCI and Singularity image formats.
• OpenVEX support for filtering and augmenting scanning results.

If you encounter an issue, please let us know using the issue tracker.

Installation

snap install grype

Getting Started

To scan for vulnerabilities in an image:

grype <image>

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:

grype <image> --scope all-layers

Supported sources

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of docker image save ..., podman save ..., or skopeo copy commands)

grype path/to/image.tar

# scan a Singularity Image Format (SIF) container

grype path/to/image.sif

# scan a directory

grype dir:path/to/dir

Sources can be explicitly provided with a scheme:

podman:yourrepo/yourimage:tag          use images from the Podman daemon

docker:yourrepo/yourimage:tag          use images from the Docker daemon

docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"

oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)

oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)

singularity:path/to/yourimage.sif      read directly from a Singularity Image Format (SIF) container on disk

dir:path/to/yourproject                read directly from a path on disk (any directory)

sbom:path/to/syft.json                 read Syft JSON from path on disk

registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)

If an image source is not provided and cannot be detected from the given reference it is assumed the image should be pulled from the Docker daemon. If docker is not present, then the Podman daemon is attempted next, followed by reaching out directly to the image registry last.

Output Formats

The output format for Grype is configurable as well:

grype <image> -o <format>

Where the formats available are:

• table: A columnar summary (default).
• cyclonedx: An XML report conforming to the CycloneDX 1.6 specification.
• cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.
• json: Use this to get as much information out of Grype as possible!
• sarif: Use this option to get a SARIF report (Static Analysis Results Interchange Format)
• template: Lets the user specify the output format.

Documentation

Our GitHub contains further details:

https://github.com/anchore/grype

For commercial support options with Syft or Grype, please contact Anchore

*This prototype Grype snap is built using the configuration here: https://github.com/popey/grype-snap*