grype db: Manage and Cache the Vuln DB
grype db update downloads the latest vulnerability database, and caching its directory keeps CI fast and offline-friendly.
Like Trivy, grype maintains a local vulnerability database. Managing it explicitly with the db subcommands and caching its directory avoids repeated downloads and rate limits in CI.
What it does
grype db update fetches the newest database into the cache directory (default under ~/.cache/grype/db, overridable with GRYPE_DB_CACHE_DIR). grype db status reports the current DB version and age. With GRYPE_DB_AUTO_UPDATE=false and a cached directory, scans run without contacting the network.
Common usage
grype db update
grype db status
# CI: pre-warm and cache, then scan offline
export GRYPE_DB_CACHE_DIR=.grypedb
grype db update
GRYPE_DB_AUTO_UPDATE=false grype myorg/app:ci --fail-on highOptions
| Command / var | What it does |
|---|---|
| grype db update | Download the latest vulnerability DB |
| grype db status | Show DB version, schema, and age |
| grype db check | Report whether an update is available |
| GRYPE_DB_CACHE_DIR | Directory to store the DB (cache this in CI) |
| GRYPE_DB_AUTO_UPDATE | Set false to skip auto-download on scan |
In CI
Cache GRYPE_DB_CACHE_DIR with your CI cache key, run grype db update once to warm it, then scan with GRYPE_DB_AUTO_UPDATE=false so each job reuses the cached DB. This avoids the per-job download and any upstream rate limiting.
Common errors in CI
"failed to load vulnerability db" or "no db cache directory found" means the DB was never downloaded or the cache path is wrong; run grype db update with the correct GRYPE_DB_CACHE_DIR. "database is too old" appears when auto-update is off and the cached DB has aged out; refresh it. Network 403/429 on update means rate limiting, so cache the DB.