grype
Grype is a comprehensive vulnerability scanner for container images and filesystems that quickly identifies known security vulnerabilities in packages and dependencies. It serves as an essential tool for supply chain security by detecting CVEs across multiple vulnerability databases.
Key Features:
- Multi-Source Scanning: Analyzes container images, directories, SBOM files, and archives for comprehensive vulnerability coverage
- Extensive Database Coverage: Leverages multiple vulnerability databases including NVD, Alpine SecDB, Ubuntu, Debian, and more
- Package Manager Support: Detects vulnerabilities in packages from npm, pip, gem, Maven, Go modules, and other popular package managers
- SARIF Output: Modern security report format for integration with development platforms and security tools
- Container Registry Integration: Direct scanning of images from Docker Hub, ECR, GCR, and other container registries
- SBOM Analysis: Can analyze Software Bill of Materials files for vulnerability assessment
- CI/CD Ready: Designed for integration into continuous integration pipelines with configurable failure thresholds
- Detailed Reporting: Comprehensive vulnerability reports with CVSS scores, severity levels, and remediation guidance
- Fast Performance: Optimized scanning engine suitable for large-scale container and filesystem analysis
- Offline Support: Can operate with cached vulnerability databases for air-gapped environments
grype documentation
- Version in MegaLinter: 0.95.0
- Visit Official Web Site
- See How to configure grype rules
- If custom
.grype.yamlconfig file isn't found, .grype.yaml will be used
- If custom
- See Index of problems detected by grype
Configuration in MegaLinter
- Enable grype by adding
REPOSITORY_GRYPEin ENABLE_LINTERS variable - Disable grype by adding
REPOSITORY_GRYPEin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_GRYPE_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_GRYPE_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_GRYPE_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| REPOSITORY_GRYPE_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_GRYPE_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_GRYPE_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_GRYPE and its pre/post commands | None |
| REPOSITORY_GRYPE_CONFIG_FILE | grype configuration file nameUse LINTER_DEFAULT to let the linter find it |
.grype.yaml |
| REPOSITORY_GRYPE_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_GRYPE_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_GRYPE_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_GRYPE_CLI_EXECUTABLE | Override CLI executable | ['grype'] |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 126 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 87 |   |
|
| documentation | MegaLinter for documentation projects | 49 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 64 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 73 |   |
|
| go | Optimized for GO based projects | 51 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 65 |   |
|
| ruby | Optimized for RUBY based projects | 50 |   |
|
| rust | Optimized for RUST based projects | 50 |   |
|
| salesforce | Optimized for Salesforce based projects | 54 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 50 |   |
|
| terraform | Optimized for TERRAFORM based projects | 54 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
grype is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using grype configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make grype analyze only updated files
Example calls
grype dir:.
Help content
A vulnerability scanner for container images, filesystems, and SBOMs.
Supports the following image sources:
grype yourrepo/yourimage:tag defaults to using images from a Docker daemon
grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon
grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon
grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
grype dir:path/to/yourproject read directly from a path on disk (any directory)
grype file:path/to/yourfile read directly from a file on disk
grype sbom:path/to/syft.json read Syft JSON from path on disk
grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
grype purl:path/to/purl/file read a newline separated file of package URLs from a path on disk
grype PURL read a single package PURL directly (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3)
grype CPE read a single CPE directly (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*)
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
Usage:
grype [IMAGE] [flags]
grype [command]
Available Commands:
completion Generate a shell completion for Grype (listing local docker images)
config show the grype configuration
db vulnerability database operations
explain Ask grype to explain a set of findings
help Help about any command
version show version information
Flags:
--add-cpes-if-none generate CPEs for packages with no CPE data
--by-cve orient results by CVE instead of the original vulnerability ID when possible
-c, --config stringArray grype configuration file(s) to use
--distro string distro to match against in the format: <distro>:<version>
--exclude stringArray exclude paths from being scanned using a glob expression
-f, --fail-on string set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
--file string file to write the default report output to (default is STDOUT)
-h, --help help for grype
--ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
--name string set the name of the target being analyzed
--only-fixed ignore matches for vulnerabilities that are not fixed
--only-notfixed ignore matches for vulnerabilities that are fixed
-o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to analyze, options=[squashed all-layers deep-squashed] (default "squashed")
--show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)
--sort-by string sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (default "risk")
-t, --template string specify the path to a Go template file (requires 'template' output to be selected)
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for grype
--vex stringArray a list of VEX documents to consider when producing scanning results
Use "grype [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=github-tags depName=anchore/grype
ARG REPOSITORY_GRYPE_VERSION=0.95.0
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/refs/tags/v${REPOSITORY_GRYPE_VERSION}/install.sh | sh -s -- -b /usr/local/bin