anchore/grype
Fun facts
Light trivia gathered while spelunking the Grype codebase.
The longest file is bigger than it looks
grype/db/v6/vulnerability_test.go weighs in at 30,279 lines. The longest non-test file (grype/db/v6/models.go) clocks in at 31,189 lines — but it's mostly GORM struct definitions, not algorithmic complexity. The longest "real" Go file is grype/vulnerability_matcher.go at ~24K lines, and even that contains substantial setup/teardown for the per-package match orchestration.
ASCII tree characters in your logs
grype/vulnerability_matcher.go defines:
const (
branch = "├──"
leaf = "└──"
)These are used to print scan summaries as a textual tree:
found N vulnerability matches across M packages
├── fixed: ...
├── ignored: ...
├── dropped: ...
└── matched: ...The same characters re-appear in cmd/grype/cli/commands/root.go when the DB load summary is logged.
opensuse-leap is a special-cased string
grype/distro/distro.go::ParseDistroString has explicit code for opensuse-leap because it is the only common distro ID that contains a hyphen. Without the special case, a user input like opensuse-leap-15 would be parsed as opensuse + leap-15.
SchemaVer in the wild
The DB schema uses SchemaVer — a niche scheme that distinguishes:
- Model: breaking schema changes (today: 6).
- Revision: changes that may break some historical data (today: 1).
- Addition: changes that are backward-compatible (today: 4).
This lets the v6 model handle minor extensions (KEV, EPSS, CWE, EOL dates) without bumping a major version.
A gem of a comment
In cmd/grype/cli/commands/root.go:
// packages are grype.Package, not syft.Package
// the SBOM is returned for downstream formatting concerns
// grype uses the SBOM in combination with syft formatters to produce cycloneDX
// with vulnerability information appendedThis is the most concise possible description of why Grype keeps a parallel pkg.Package type alongside Syft's: matchers need fields Syft doesn't carry (e.g. MetadataType discriminators specific to vulnerability matching), but the SBOM is still preserved end-to-end so the CycloneDX presenter can reconstruct a complete BOM with vulnerabilities attached.
The CI environment fights back
In cmd/grype/cli/cli.go, there's a stealth environWithoutCI type whose only job is to hide the CI environment variable from lipgloss/termenv when deciding whether to render colors. Without it, color rendering would be silently disabled in many CI environments — even when developers have explicitly opted into a richer UI. The lengths developers go to so their terminal output looks pretty.
Dependabot's outsized footprint
About 28% of the project's commits were authored by dependabot[bot]. For a tool whose value depends on staying current with vulnerability feeds, package format libraries, and Go itself, that's a feature, not a bug.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.