anchore/grype
Tooling
The tools that build, test, and ship Grype.
Taskfile (not Make)
The repo uses task instead of GNU make. Configuration is in Taskfile.yaml at the repo root. Top-level tasks worth memorizing:
| Task | Description |
|---|---|
task default (or just task) |
Build the snapshot binary. |
task validate |
static-analysis + test + install-test. |
task test |
unit + integration + cli. |
task generate |
Regenerate JSON and DB schemas. |
task lint / task lint-fix |
golangci-lint, with optional auto-fix. |
task tools |
Bootstrap pinned tool versions via binny. |
task release |
Cut a release (interactive, requires admin approval). |
Binny — tool version pinning
.binny.yaml lists the exact versions of every developer tool. task tools (alias task bootstrap) installs them all to .tool/. This avoids "works on my laptop" issues across contributors.
Pinned tools include:
golangci-lint— linting (.golangci.yaml).goreleaser— snapshot and release builds (.goreleaser.yaml).bouncer— license compliance check (.bouncer.yaml).chronicle— changelog generation (.chronicle.yaml).gosimports— import sorting with anchore-local prefix.
golangci-lint
Configuration: .golangci.yaml. Run with task lint. The CI lane runs golangci-lint run --tests=false — production code is held to a stricter standard than test code.
goreleaser
.goreleaser.yaml defines:
- Cross-compilation targets (linux/macOS/windows × amd64/arm64).
- Container image builds for
ghcr.io/anchore/grypeanddocker.io/anchore/grype(default + debug + nonroot variants — seeDockerfile,Dockerfile.debug,Dockerfile.nonroot). - SBOM generation for each artifact.
- Sigstore signing (release only; snapshot skips it).
- Homebrew formula updates.
task snapshot runs goreleaser in --snapshot --skip=publish --skip=sign mode, dropping artifacts under ./snapshot/.
Bouncer — license compliance
.bouncer.yaml configures allowed/blocked licenses for transitive dependencies. task check-licenses (also task validate) runs bouncer check ./... and fails if any dependency is out of policy.
chronicle — changelogs
.chronicle.yaml configures how chronicle reads PR titles and labels to assemble the CHANGELOG.md. The release pipeline runs chronicle -vvv > CHANGELOG.md and pipes it into goreleaser.
.github/workflows
| Workflow | Purpose |
|---|---|
validations.yaml |
Main CI lane: lint + unit + integration + CLI + install. |
release.yaml |
Triggered manually; cuts a release. |
codeql.yaml |
GitHub CodeQL security scanning. |
scorecards.yaml |
OSSF Scorecard publishing. |
dependabot-automation.yaml |
Auto-merge dependabot PRs that pass CI. |
oss-project-board-add.yaml |
Adds new issues to the project board. |
remove-awaiting-response-label.yaml |
Removes the "awaiting response" label when an issue is updated. |
validate-github-actions.yaml |
Lints workflow YAML files (with zizmor). |
Dockerfiles
Three Dockerfiles ship in this repo, all built by goreleaser:
Dockerfile— default image, runs as root. The image is what most users pull.Dockerfile.debug— bundles debugging tools (sh, etc.).Dockerfile.nonroot— same as default but runs as non-root user, recommended for restricted environments.
install.sh
install.sh at the repo root is the installer served at https://get.anchore.io/grype. The acceptance test under test/install/ verifies it across several OS environments.
artifacthub-repo.yml
Metadata for Artifact Hub, where Grype is listed as an Anchore-published tool.
Other CI scripts
.github/scripts/ contains:
coverage.py— coverage threshold check.go-mod-tidy-check.sh— fails ifgo mod tidywould change anything.json-schema-drift-check.sh— fails if generated JSON schema doesn't match committed schema.db-schema-drift-check.sh— fails if generated DB blob schemas don't match committed schemas.trigger-release.sh— used bytask release.ci-check.sh— fails outside CI (used to gate release-only tasks).
llms.txt
The repo includes a top-level llms.txt — a project description targeted at large language models, listing the architecture and main components. It's a useful one-page primer if you are coming to Grype fresh.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.