Open-Source Wikis

/

Grype

/

Lore

anchore/grype

Lore

The story of how Grype evolved from a single-file proof-of-concept into the vulnerability scanner used in CI pipelines worldwide.

Eras

The early days (May 2020 – Sep 2020)

Grype's first commit landed on 2020-05-26 with the basic shape that survives to this day: a CLI under cmd/grype/, a grype/ library with matchers per ecosystem, and a downloadable vulnerability DB. The earliest releases focused on Linux distro matchers (apk, dpkg, rpm) and Java/Python language matchers. Anchore had open-sourced the underlying engine extracted from their proprietary scanning products.

Database schema marches (Late 2020 – 2024)

The vulnerability DB schema went through six breaking versions. The codebase still contains both v5 and v6 packages because the build tooling needs to read v5 archives:

  • v1–v3: removed long ago; only of historical interest.
  • v4–v5 (grype/db/v5/): the dominant schema for several years. Carries CVSS scores, fix states, and a richer set of related vulnerabilities. Still imported by grype-db builds and by parts of the curator.
  • v6 (grype/db/v6/): the current schema. SchemaVer-versioned (ModelVersion=6, Revision=1, Addition=4 per grype/db/v6/db.go). Introduced separate stores for affected/unaffected packages and CPEs, a typed decorator store for KEV/EPSS, and per-OS EOL data.

Each Addition tag in the v6 changelog corresponds to a specific feature: 6.0.1 added CISA KEV, 6.0.2 added EPSS, 6.1.0 added per-fix availability dates, 6.1.4 added EOL/EoAS dates for OperatingSystems.

VEX support (2023)

grype/vex/ was added to filter and augment matches based on vendor-supplied VEX documents. Both OpenVEX and CSAF document formats are supported (grype/vex/openvex/, grype/vex/csaf/). The top-level Processor (grype/vex/processor.go) detects the document type from its first file and dispatches to the appropriate implementation.

The Syft/Grype split

Grype always used Anchore's Syft for cataloging, but historically a lot of file-format reading lived inside Grype. Over time, format readers (Syft JSON, SPDX, CycloneDX) migrated upstream into Syft, leaving Grype to consume sbom.SBOM objects via grype/pkg/syft_sbom_provider.go. Today, package input handling is a thin facade: every input form ultimately becomes []pkg.Package.

Bubble Tea UI (2022+)

The interactive terminal UI under cmd/grype/cli/ui/ is built on charmbracelet/bubbletea and bubbly (Anchore's component library). It coordinates progress events from both Syft and Grype via a shared partybus.Bus, falling back to a plain non-UI handler in CI or non-tty environments. The fallback selection logic is in cli.go::SetupConfig.

Risk prioritization (2024 – 2025)

Recent feature work centered on prioritization:

  • CISA KEV decoration — cross-references vulnerability records against the Known Exploited Vulnerabilities catalog. Populated by the v6 builder and read via vulnerability_decorator_store.go.
  • EPSS scoring — daily exploit-prediction probabilities surfaced alongside vulnerabilities.
  • Risk scoring — a derived score in the JSON output that combines CVSS, KEV, and EPSS.

These features arrived without breaking the database schema: each was a new Addition (the A in SchemaVer).

Longest-standing features

Feature First seen Notes
dpkg matcher 2020 Still the canonical model for OS matchers; other distros copied its shape.
Stock matcher 2020 Catch-all matcher for unknown package types, still a fallback in vulnerability_matcher.go::searchDBForMatches.
match.IgnoreRule 2020 YAML-configurable ignore rules; the data shape has been remarkably stable.
--fail-on severity gating 2020 Implemented in grype/grypeerr/ with exit code 2.
JSON presenter 2020 The most stable output format; schema bumps tracked under cmd/grype/cli/commands/internal/jsonschema/.

Deprecated features

  • DB v1–v4 readers — entirely removed.
  • DB v5 — code still present (grype/db/v5/) but only used during DB building via grype-db; runtime always uses v6 (cmd/grype/cli/cli.go::dbVersion).
  • presenter.GetPresenter shimgrype/presenter/presenter.go is annotated Deprecated: this will be removed in v1.0. The real entry point is now internal/format.
  • vulnerability.MetadataProvider interface — explicitly deprecated in grype/vulnerability/provider.go. Vulnerability records now carry their metadata inline.

Major rewrites

  • DB v5 → v6 migration: large-scale rewrite of stores, models, and search queries. grype/db/v6/ is roughly 38 KLoC of code+tests. The two schemas coexist in the source tree because the build tooling needs to support both, but users always read v6.
  • Provider interface split: vulnerability lookups moved from concrete *store.Store types to a small set of interfaces (Reader, VulnerabilityStoreReader, etc.) so that mocks (grype/vulnerability/mock/) and alternate sources can be plugged in.
  • CycloneDX presenter: rewritten when CycloneDX 1.4+ formalized vulnerability schemas; the embedded-VEX variants are produced by the same package (grype/presenter/cyclonedx/).

Growth trajectory

Roughly 2,200 commits over six years, averaging out to about one commit per day on main — though the actual cadence is much spikier with frequent dependabot batches and bursts of feature work around release cuts. Releases historically ship every 1–2 weeks per RELEASE.md.

The contributor base is led by Alex Goodman (486 commits), with steady contribution from Christopher Phillips, Alfredo Deza, Keith Zantow, Dan Luhring, Weston Steimel, and Will Murphy.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Lore – Grype wiki | Factory