Skip to content
Latchkey

grype: Scan Images and Directories for CVEs

grype scans a container image, a directory, or an SBOM and reports known vulnerabilities in its packages.

grype is Anchore vulnerability scanner. It accepts many source types through a prefix syntax and pairs naturally with syft, which builds the SBOM it can consume.

What it does

grype catalogs the packages in its target (using syft under the hood for images and directories), then matches them against its vulnerability database. The target can be an image reference, a dir: path, a registry: reference, or an sbom: file, selected by prefix.

Common usage

Terminal
grype alpine:3.19
grype dir:.
# scan a Syft SBOM instead of re-cataloging
syft myorg/app:ci -o json > sbom.json
grype sbom:sbom.json

Options

FlagWhat it does
-o, --output <fmt>table, json, cyclonedx, sarif
-s, --scope <scope>squashed (default) or all-layers
--only-fixedReport only vulnerabilities that have a fix
--fail-on <severity>Exit non-zero at or above this severity
--add-cpes-if-noneGenerate CPEs to improve matching
sbom:/dir:/registry:Source prefixes for the target

In CI

Feed grype a Syft SBOM (grype sbom:sbom.json) so you catalog the image once and can rescan cheaply. Gate the build with --fail-on high (see grype-fail-on) and use --only-fixed to focus on actionable issues. Use --scope all-layers if you need to catch packages removed in later layers.

Common errors in CI

"could not determine source" or "unable to determine image source" means the reference is ambiguous; add a prefix such as registry: or dir:. "failed to load vulnerability db" points at a missing or corrupt DB; run grype db update or clear the cache. "1 error occurred ... no image found" means the tag is not pullable from the runner.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →