Skip to content

grype

downgraded version GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

grype documentation

grype - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_GRYPE_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_GRYPE_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_GRYPE_CLI_LINT_MODE Override default CLI lint mode
⚠️ As default value is project, overriding might not work
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
project
REPOSITORY_GRYPE_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_GRYPE_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_GRYPE_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_GRYPE and its pre/post commands None
REPOSITORY_GRYPE_CONFIG_FILE grype configuration file nameUse LINTER_DEFAULT to let the linter find it .grype.yaml
REPOSITORY_GRYPE_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_GRYPE_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_GRYPE_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_GRYPE_CLI_EXECUTABLE Override CLI executable ['grype']

MegaLinter Flavors

This linter is available in the following flavors

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 124 Docker Image Size (tag) Docker Pulls
c_cpp Optimized for pure C/C++ projects 54 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 21 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 83 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 49 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 61 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 70 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 51 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 52 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 59 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 50 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 50 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 54 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 50 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 54 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

grype is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using grype configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make grype analyze only updated files

Example calls

grype dir:.

Help content

A vulnerability scanner for container images, filesystems, and SBOMs.

Supports the following image sources:
    grype yourrepo/yourimage:tag             defaults to using images from a Docker daemon
    grype path/to/yourproject                a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory

You can also explicitly specify the scheme to use:
    grype podman:yourrepo/yourimage:tag          explicitly use the Podman daemon
    grype docker:yourrepo/yourimage:tag          explicitly use the Docker daemon
    grype docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
    grype oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Podman or otherwise)
    grype oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
    grype singularity:path/to/yourimage.sif      read directly from a Singularity Image Format (SIF) container on disk
    grype dir:path/to/yourproject                read directly from a path on disk (any directory)
    grype sbom:path/to/syft.json                 read Syft JSON from path on disk
    grype registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)
    grype purl:path/to/purl/file                 read a newline separated file of purls from a path on disk

You can also pipe in Syft JSON directly:
  syft yourimage:tag -o json | grype

Usage:
  grype [IMAGE] [flags]
  grype [command]

Available Commands:
  completion  Generate a shell completion for Grype (listing local docker images)
  config      show the grype configuration
  db          vulnerability database operations
  explain     Ask grype to explain a set of findings
  help        Help about any command
  version     show version information

Flags:
      --add-cpes-if-none       generate CPEs for packages with no CPE data
      --by-cve                 orient results by CVE instead of the original vulnerability ID when possible
  -c, --config string          grype configuration file
      --distro string          distro to match against in the format: <distro>:<version>
      --exclude stringArray    exclude paths from being scanned using a glob expression
  -f, --fail-on string         set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
      --file string            file to write the default report output to (default is STDOUT)
  -h, --help                   help for grype
      --ignore-states string   ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
      --name string            set the name of the target being analyzed
      --only-fixed             ignore matches for vulnerabilities that are not fixed
      --only-notfixed          ignore matches for vulnerabilities that are fixed
  -o, --output stringArray     report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
      --platform string        an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                  suppress all logging output
  -s, --scope string           selection of layers to analyze, options=[squashed all-layers] (default "squashed")
      --show-suppressed        show suppressed/ignored vulnerabilities in the output (only supported with table output format)
  -t, --template string        specify the path to a Go template file (requires 'template' output to be selected)
  -v, --verbose count          increase verbosity (-v = info, -vv = debug)
      --version                version for grype
      --vex stringArray        a list of VEX documents to consider when producing scanning results

Use "grype [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.79.5