Grype — Container Vulnerability Scanner

# Grype — Container Vulnerability Scanner


## Overview


Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation.


## Instructions

### Scanning

```bash
# Install
brew install grype

# Scan a container image
grype alpine:3.19
grype nginx:latest
grype ghcr.io/myorg/myapp:v1.2.3

# Scan a local directory
grype dir:./my-project

# Scan a Dockerfile / built image
docker build -t myapp .
grype myapp

# Scan an SBOM (generated by Syft)
syft myapp -o spdx-json > sbom.json
grype sbom:sbom.json

# Fail on severity threshold
grype myapp --fail-on critical          # Exit 1 if critical CVEs found
grype myapp --fail-on high              # Exit 1 if high or critical

# Output formats
grype myapp -o json                     # JSON for CI processing
grype myapp -o table                    # Human-readable (default)
grype myapp -o sarif                    # SARIF for GitHub Security tab
grype myapp -o cyclonedx               # CycloneDX format
```

### CI/CD Integration

```yaml
# .github/workflows/security.yml — Scan images before deployment
jobs:
  vulnerability-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Generate SBOM
        uses: anchore/sbom-action@v0
        with:
          image: myapp:${{ github.sha }}
          output-file: sbom.spdx.json

      - name: Scan for vulnerabilities
        uses: anchore/scan-action@v4
        id: scan
        with:
          image: myapp:${{ github.sha }}
          fail-build: true
          severity-cutoff: high
          output-format: sarif

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}
```

### Ignore Known False Positives

```yaml
# .grype.yaml — Configuration and ignore rules
ignore:
  # Ignore specific CVEs (with justification)
  - vulnerability: CVE-2023-12345
    reason: "Not exploitable in our configuration — we don't use affected feature"

  - vulnerability: CVE-2023-67890
    package:
      name: openssl
      version: 3.1.0
    reason: "Patched in our custom build"

  # Ignore all vulnerabilities in test dependencies
  - package:
      location: "**/test/**"

# Only scan for these severity levels
fail-on-severity: high

# DB update settings
db:
  auto-update: true
  validate-age: true
  max-allowed-built-age: 120h          # Re-download if DB is older than 5 days
```

### Combining with Syft

```bash
# Syft generates SBOMs, Grype scans them — powerful combination

# Generate SBOM
syft myapp:latest -o spdx-json > sbom.json

# Scan the SBOM for vulnerabilities
grype sbom:sbom.json -o json > vulnerabilities.json

# Quick pipeline: build → SBOM → scan → sign
docker build -t myapp:v1.2.3 .
syft myapp:v1.2.3 -o spdx-json > sbom.json
grype sbom:sbom.json --fail-on critical
cosign attest --predicate sbom.json --type spdxjson myapp:v1.2.3
```

## Installation

```bash
# macOS
brew install grype

# Linux
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Docker
docker run anchore/grype:latest myapp:latest
```


## Examples


### Example 1: Setting up Grype for a microservices project

**User request:**

```
I have a Node.js API and a React frontend running in Docker. Set up Grype for monitoring/deployment.
```

The agent creates the necessary configuration files based on patterns like `# Install`, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.

### Example 2: Troubleshooting ci/cd integration issues

**User request:**

```
Grype is showing errors in our ci/cd integration. Here are the logs: [error output]
```

The agent analyzes the error output, identifies the root cause by cross-referencing with common Grype issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.


## Guidelines

1. **Scan in CI/CD** — Run Grype on every build; catch vulnerabilities before they reach production
2. **Fail on high/critical** — Use `--fail-on high` in CI; don't deploy images with known high-severity CVEs
3. **SBOM + scan** — Generate SBOM with Syft, scan with Grype, attach both to the image with Cosign
4. **Ignore with justification** — When ignoring CVEs, document why in `.grype.yaml`; auditors need to see the reasoning
5. **Update the vulnerability DB** — Grype uses a local vulnerability database; ensure it's updated daily in CI
6. **SARIF for GitHub** — Output SARIF format and upload to GitHub Security tab; developers see CVEs inline on PRs
7. **Base image matters** — Most CVEs come from the base image; use minimal bases (distroless, alpine, scratch) to reduce attack surface
8. **Scan running containers** — Periodically scan deployed images; new CVEs are discovered daily against existing packages