grype
vulnerability scanner for container images and filesystems
TLDR
SYNOPSIS
grype [options] source
DESCRIPTION
grype is a vulnerability scanner for container images and filesystems. It identifies known security vulnerabilities in packages and dependencies by comparing against vulnerability databases.The tool integrates with CI/CD pipelines and produces reports in various formats. It works with the same sources as Syft for comprehensive software composition analysis.
PARAMETERS
-o, --output format
Report format (table, json, cyclonedx, cyclonedx-json, sarif, template).-f, --fail-on severity
Return exit code 2 if vulnerability found at severity level or higher (negligible, low, medium, high, critical).--only-fixed
Show only vulnerabilities with available fixes.--only-notfixed
Show only vulnerabilities without available fixes.--by-cve
Organize results by CVE rather than original vulnerability ID.--add-cpes-if-none
Generate CPEs for packages that lack them.-s, --scope scope
Layer analysis scope (squashed, all-layers).--exclude glob
Exclude paths matching the given glob pattern.--platform platform
Container platform specifier (e.g., linux/arm64).-q, --quiet
Suppress logging output.-v, --verbose
Increase verbosity (-v for info, -vv for debug).-c, --config file
Specify configuration file.--file path
Write report output to a file instead of stdout.--vex document
Apply VEX documents to filter results.
SOURCE TYPES
image: Container image (default)dir:: Local directoryfile:: Single filesbom:: SBOM file (Syft, CycloneDX, SPDX)registry:: Remote container registry
CAVEATS
Database updates needed regularly. False positives possible. Coverage depends on ecosystem. Large images scan slowly.
HISTORY
grype was created by Anchore as part of their open source security tooling alongside Syft. It emerged around 2020 to address container security scanning needs with a focus on accuracy and integration.
