A vulnerability scanner for container images and filesystems.

• Scan container images, filesystems, and SBOMs for known vulnerabilities (see the docs for a full list of supported scan targets)
• Supports major OS package ecosystems (Alpine, Debian, Ubuntu, RHEL, Oracle Linux, Amazon Linux, and more)
• Supports language-specific packages (Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust, and more)
• Supports Docker, OCI, and Singularity image formats
• Threat & risk prioritization with EPSS, KEV, and risk scoring (see interpreting the results docs)
• OpenVEX support for filtering and augmenting scan results

The quickest way to get up and going:

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

Scan a container image or directory for vulnerabilities:

# container image
grype alpine:latest

# directory
grype ./my-project

Scan an SBOM for even faster vulnerability detection:

# scan a Syft SBOM
grype sbom:./sbom.json

# pipe an SBOM into Grype
cat ./sbom.json | grype

We encourage users to help make these tools better by submitting issues when you find a bug or want a new feature. Check out our contributing overview and developer-specific documentation if you are interested in providing code contributions.

Grype development is sponsored by Anchore, and is released under the Apache-2.0 License. The Grype logo by Anchore is licensed under CC BY 4.0

For commercial support options with Syft or Grype, please contact Anchore.

The Grype Team holds regular community meetings online. All are welcome to join to bring topics for discussion.

• Check the calendar for the next meeting date.
• Add items to the agenda (join this group for write access to the agenda)
• See you there!