Skip to content
Latchkey

grype db: Manage and Cache the Vuln DB

grype db update downloads the latest vulnerability database, and caching its directory keeps CI fast and offline-friendly.

Like Trivy, grype maintains a local vulnerability database. Managing it explicitly with the db subcommands and caching its directory avoids repeated downloads and rate limits in CI.

What it does

grype db update fetches the newest database into the cache directory (default under ~/.cache/grype/db, overridable with GRYPE_DB_CACHE_DIR). grype db status reports the current DB version and age. With GRYPE_DB_AUTO_UPDATE=false and a cached directory, scans run without contacting the network.

Common usage

Terminal
grype db update
grype db status
# CI: pre-warm and cache, then scan offline
export GRYPE_DB_CACHE_DIR=.grypedb
grype db update
GRYPE_DB_AUTO_UPDATE=false grype myorg/app:ci --fail-on high

Options

Command / varWhat it does
grype db updateDownload the latest vulnerability DB
grype db statusShow DB version, schema, and age
grype db checkReport whether an update is available
GRYPE_DB_CACHE_DIRDirectory to store the DB (cache this in CI)
GRYPE_DB_AUTO_UPDATESet false to skip auto-download on scan

In CI

Cache GRYPE_DB_CACHE_DIR with your CI cache key, run grype db update once to warm it, then scan with GRYPE_DB_AUTO_UPDATE=false so each job reuses the cached DB. This avoids the per-job download and any upstream rate limiting.

Common errors in CI

"failed to load vulnerability db" or "no db cache directory found" means the DB was never downloaded or the cache path is wrong; run grype db update with the correct GRYPE_DB_CACHE_DIR. "database is too old" appears when auto-update is off and the cached DB has aged out; refresh it. Network 403/429 on update means rate limiting, so cache the DB.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →