anchore/grype
By the numbers
A quantitative snapshot of the Grype codebase.
Data collected on 2026-04-30 from commit
d646a93onmain.
Size
| Metric | Value |
|---|---|
| Total Go lines (incl. tests) | ~131,400 |
| Go source files | 680 |
| Go test files | 246 |
| Test-to-code file ratio | ~36% |
| Top-level Go packages | cmd/grype, grype/, internal/ |
go.mod direct dependencies |
~70 |
xychart-beta
title "Lines of code by area"
x-axis ["grype/db", "grype/matcher", "grype/presenter", "grype/version", "grype/pkg", "cmd/grype/cli", "internal", "test"]
y-axis "Approx. lines (K)" 0 --> 40
bar [38, 18, 12, 8, 7, 11, 8, 14](Approximate per-area sizes computed from find . -name '*.go' | xargs wc -l. The DB layer is by far the largest area, mainly because of v5/v6 schemas, GORM models, and the dense unit tests around the package and CPE stores.)
Activity
| Metric | Value |
|---|---|
| First commit | 2020-05-26 |
| Latest commit | 2026-04-30 |
Total commits on main |
2,208 |
| Commits in the last 90 days | 114 |
| Months with commits | 72 |
Tagged releases (vX.Y.Z) |
100+ (last: v0.99.1) |
Recent activity has concentrated around the v6 database schema and CISA KEV/EPSS decoration plumbing — see grype/db/v6/vulnerability_decorator_store.go and the related stores.
Bot-attributed commits
This is a lower bound on bot involvement; inline AI tooling leaves no git trace.
| Source | Commits | Share |
|---|---|---|
dependabot[bot] |
627 | 28.4% |
anchore-actions-token-generator[bot] |
288 | 13.0% |
Other *[bot] (factory-droid, github-actions, copilot) |
<10 | <1% |
| Total bot-attributed | ~770 | ~35% |
Dependency upgrades dominate the bot share, as expected for a tool whose value is heavily tied to staying current with syft, stereoscope, and ecosystem libraries.
Complexity hotspots
The largest non-test source files (lines, file):
| Lines | File |
|---|---|
| 31,189 | grype/db/v6/models.go (GORM models for the v6 schema) |
| 24,181 | grype/vulnerability_matcher.go (top-level matcher orchestration) |
| 23,709 | grype/db/v6/vulnerability_provider.go |
| 18,833 | cmd/grype/cli/commands/root.go (runGrype) |
| 17,330 | grype/pkg/package.go (Grype's package model + conversions from Syft) |
| 13,715 | grype/db/v6/operating_system_store.go |
| 12,663 | grype/db/v6/package_store.go |
| 12,550 | grype/match/ignore.go |
| 11,857 | grype/db/v6/search_query.go |
| 11,258 | cmd/grype/cli/options/grype.go (CLI option struct) |
Test files are not counted; several test files (e.g. vulnerability_matcher_test.go at 51,485 lines) are larger than any production file.
Dependencies
| Group | Counts |
|---|---|
Direct require lines in go.mod |
~70 |
// indirect lines |
~250 |
| Anchore-owned modules used | bubbly, clio, fangs, go-collections, go-homedir, go-logger, go-version, packageurl-go, stereoscope, syft |
| External package-version libs | anchore/go-version, aquasecurity/go-pep440-version, bitnami/go-version, knqyf263/go-apk-version, knqyf263/go-deb-version, masahiro331/go-mvn-version |
Each ecosystem matcher leans on a different version library, which is why the grype/version/ package is non-trivial — it normalizes them all behind a Comparator interface.
TODOs and FIXMEs
61 source files contain at least one TODO, FIXME, or HACK comment, totaling ~90 occurrences. The biggest concentration is in grype/db/v5/ (deprecated schema) and the matcher pipeline.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.