Grype - Container Vulnerability Scanner

Grype - Container Vulnerability Scanner

Alan Pope (popey) Publisher Star developer Star developer

Install latest/stable of Grype - Container Vulnerability Scanner

Ubuntu 16.04 or later?

Make sure snap support is enabled in your Desktop store.


Install using the command line

sudo snap install grype --classic

Don't have snapd? Get set up for snaps.

Channel Version Published

Vulnerability scanner

A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Features

Scan the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for major operating system packages:

  • Alpine
  • Amazon Linux
  • BusyBox
  • CentOS
  • CBL-Mariner
  • Debian
  • Distroless
  • Oracle Linux
  • Red Hat (RHEL)
  • Ubuntu
  • Wolfi

Find vulnerabilities for language-specific packages:

  • Ruby (Gems)
  • Java (JAR, WAR, EAR, JPI, HPI)
  • JavaScript (NPM, Yarn)
  • Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
  • Dotnet (deps.json)
  • Golang (go.mod)
  • PHP (Composer)
  • Rust (Cargo)
  • Supports Docker, OCI and Singularity image formats.
  • OpenVEX support for filtering and augmenting scanning results.

If you encounter an issue, please let us know using the issue tracker.

Installation

snap install grype

Getting Started

To scan for vulnerabilities in an image:

grype <image>

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:

grype <image> --scope all-layers

Supported sources

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar

# scan a Singularity Image Format (SIF) container
grype path/to/image.sif

# scan a directory
grype dir:path/to/dir

Sources can be explicitly provided with a scheme:

podman:yourrepo/yourimage:tag          use images from the Podman daemon
docker:yourrepo/yourimage:tag          use images from the Docker daemon
docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)
oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
singularity:path/to/yourimage.sif      read directly from a Singularity Image Format (SIF) container on disk
dir:path/to/yourproject                read directly from a path on disk (any directory)
sbom:path/to/syft.json                 read Syft JSON from path on disk
registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)

If an image source is not provided and cannot be detected from the given reference it is assumed the image should be pulled from the Docker daemon. If docker is not present, then the Podman daemon is attempted next, followed by reaching out directly to the image registry last.

Output Formats

The output format for Grype is configurable as well:

grype <image> -o <format>

Where the formats available are:

  • table: A columnar summary (default).
  • cyclonedx: An XML report conforming to the CycloneDX 1.6 specification.
  • cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.
  • json: Use this to get as much information out of Grype as possible!
  • sarif: Use this option to get a SARIF report (Static Analysis Results Interchange Format)
  • template: Lets the user specify the output format.

Documentation

Our GitHub contains further details:

https://github.com/anchore/grype

For commercial support options with Syft or Grype, please contact Anchore

This prototype Grype snap is built using the configuration here: https://github.com/popey/grype-snap

Details for Grype - Container Vulnerability Scanner

License
  • Apache-2.0

Last updated
  • 10 December 2024 - latest/stable
  • 15 December 2024 - latest/edge

Websites

Contact

Source code

Report a bug

Report a Snap Store violation

Share this snap

Generate an embeddable card to be shared on external websites.


Install Grype - Container Vulnerability Scanner on your Linux distribution

Choose your Linux distribution to get detailed installation instructions. If yours is not shown, get more details on the installing snapd documentation.


Where people are using Grype - Container Vulnerability Scanner

Users by distribution (log)

Ubuntu 24.04
Ubuntu 22.04
Ubuntu 20.04
Ubuntu 24.10
Zorin OS 17
Kali Linux 2024.4