grype

module
v0.104.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 22, 2025 License: Apache-2.0

README

Grype logo

Grype

A vulnerability scanner for container images and filesystems.

    Validations   Go Report Card   GitHub release   GitHub go.mod Go version      Join our Discourse   Follow on Mastodon 

grype-demo

Features

  • Scan container images, filesystems, and SBOMs for known vulnerabilities (see the docs for a full list of supported scan targets)
  • Supports major OS package ecosystems (Alpine, Debian, Ubuntu, RHEL, Oracle Linux, Amazon Linux, and more)
  • Supports language-specific packages (Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust, and more)
  • Supports Docker, OCI, and Singularity image formats
  • Threat & risk prioritization with EPSS, KEV, and risk scoring (see interpreting the results docs)
  • OpenVEX support for filtering and augmenting scan results

[!TIP] New to Grype? Check out the Getting Started guide for a walkthrough!

Installation

The quickest way to get up and going:

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

[!TIP] See Installation docs for more ways to get Grype, including Homebrew, Docker, Chocolatey, MacPorts, and more!

The basics

Scan a container image or directory for vulnerabilities:

# container image
grype alpine:latest

# directory
grype ./my-project

Scan an SBOM for even faster vulnerability detection:

# scan a Syft SBOM
grype sbom:./sbom.json

# pipe an SBOM into Grype
cat ./sbom.json | grype

[!TIP] Check out the Getting Started guide to explore all of the capabilities and features.

Want to know all of the ins-and-outs of Grype? Check out the CLI docs and configuration docs.

Contributing

We encourage users to help make these tools better by submitting issues when you find a bug or want a new feature. Check out our contributing overview and developer-specific documentation if you are interested in providing code contributions.

Grype development is sponsored by Anchore, and is released under the Apache-2.0 License. The Grype logo by Anchore is licensed under CC BY 4.0

For commercial support options with Syft or Grype, please contact Anchore.

Come talk to us!

The Grype Team holds regular community meetings online. All are welcome to join to bring topics for discussion.

Directories

Path Synopsis
cmd
grype command
grype/cli
grype/cli/commands
grype/cli/commands/internal/dbsearch
grype/cli/commands/internal/jsonschema command
grype/cli/options
grype/cli/ui
grype/internal
grype/internal/ui
cpe
db/internal/gormadapter
db/internal/sqlite
db/v5
db/v5/differ
db/v5/distribution
db/v5/namespace
db/v5/namespace/cpe
db/v5/namespace/distro
db/v5/namespace/language
db/v5/pkg/qualifier
db/v5/pkg/qualifier/platformcpe
db/v5/pkg/qualifier/rpmmodularity
db/v5/pkg/resolver
db/v5/pkg/resolver/java
db/v5/pkg/resolver/python
db/v5/pkg/resolver/stock
db/v5/store
db/v5/store/model
db/v6
db/v6/distribution
db/v6/installation
db/v6/name
db/v6/schema command
db/v6/testutil
distro
event
event/monitor
event/parsers
grypeerr
internal
internal/packagemetadata
internal/packagemetadata/generate command
match
matcher
matcher/apk
matcher/bitnami
matcher/dotnet
matcher/dpkg
matcher/golang
matcher/internal
matcher/internal/result
matcher/java
matcher/javascript
matcher/mock
matcher/msrc
matcher/portage
matcher/python
matcher/rpm
matcher/ruby
matcher/rust
matcher/stock
pkg
pkg/qualifier
pkg/qualifier/platformcpe
pkg/qualifier/rpmmodularity
presenter
presenter/cyclonedx
presenter/explain
presenter/internal
presenter/json
presenter/models
presenter/sarif
presenter/table
presenter/template
search
version
vex
vex/csaf
vex/openvex
vex/status
vulnerability
vulnerability/mock
bus
cvss
file
format
log
Package log contains the singleton object and helper functions for facilitating logging within the syft library.
 Package log contains the singleton object and helper functions for facilitating logging within the syft library.
redact
schemaver
stringutil

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.