grype
grype documentation
- Version in MegaLinter: 0.79.5
- Visit Official Web Site
- See How to configure grype rules
- If custom
.grype.yaml
config file isn't found, .grype.yaml will be used
- If custom
- See Index of problems detected by grype
Configuration in MegaLinter
- Enable grype by adding
REPOSITORY_GRYPE
in ENABLE_LINTERS variable - Disable grype by adding
REPOSITORY_GRYPE
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_GRYPE_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_GRYPE_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_GRYPE_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_GRYPE_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_GRYPE_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_GRYPE_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_GRYPE and its pre/post commands | None |
REPOSITORY_GRYPE_CONFIG_FILE | grype configuration file nameUse LINTER_DEFAULT to let the linter find it |
.grype.yaml |
REPOSITORY_GRYPE_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_GRYPE_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_GRYPE_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_GRYPE_CLI_EXECUTABLE | Override CLI executable | ['grype'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 61 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 70 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 52 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
grype is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using grype configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make grype analyze only updated files
Example calls
grype dir:.
Help content
A vulnerability scanner for container images, filesystems, and SBOMs.
Supports the following image sources:
grype yourrepo/yourimage:tag defaults to using images from a Docker daemon
grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon
grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon
grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
grype dir:path/to/yourproject read directly from a path on disk (any directory)
grype sbom:path/to/syft.json read Syft JSON from path on disk
grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
grype purl:path/to/purl/file read a newline separated file of purls from a path on disk
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
Usage:
grype [IMAGE] [flags]
grype [command]
Available Commands:
completion Generate a shell completion for Grype (listing local docker images)
config show the grype configuration
db vulnerability database operations
explain Ask grype to explain a set of findings
help Help about any command
version show version information
Flags:
--add-cpes-if-none generate CPEs for packages with no CPE data
--by-cve orient results by CVE instead of the original vulnerability ID when possible
-c, --config string grype configuration file
--distro string distro to match against in the format: <distro>:<version>
--exclude stringArray exclude paths from being scanned using a glob expression
-f, --fail-on string set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
--file string file to write the default report output to (default is STDOUT)
-h, --help help for grype
--ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
--name string set the name of the target being analyzed
--only-fixed ignore matches for vulnerabilities that are not fixed
--only-notfixed ignore matches for vulnerabilities that are fixed
-o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-q, --quiet suppress all logging output
-s, --scope string selection of layers to analyze, options=[squashed all-layers] (default "squashed")
--show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)
-t, --template string specify the path to a Go template file (requires 'template' output to be selected)
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for grype
--vex stringArray a list of VEX documents to consider when producing scanning results
Use "grype [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.79.5