anchore/grype
Grype
Grype is a vulnerability scanner for container images, filesystems, and SBOMs, developed by Anchore. Given a target, Grype catalogs the packages it contains, looks them up in a curated vulnerability database, and reports the matches.
The tool is delivered as a single Go binary that wraps a CLI, a downloadable SQLite-backed vulnerability database, and a set of ecosystem-specific matchers. It is the runtime companion to grype-db (which builds the database) and Syft (which catalogs packages).
What Grype does
- Scans container images and filesystems. Accepts Docker, OCI, and Singularity images, OCI directories, generic filesystem paths, and individual files.
- Scans SBOMs. Reads Syft JSON, SPDX, and CycloneDX SBOMs from a path or stdin.
- Looks up vulnerabilities. Resolves each catalogued package against an automatically-managed local vulnerability database (
vulnerability.db). - Filters and prioritizes. Supports user-provided ignore rules, OpenVEX/CSAF VEX documents, EPSS exploit predictions, CISA KEV decoration, and CVE normalization.
- Renders output. Tables, JSON, CycloneDX, SARIF, and Go templates.
High-level layout
| Path | Purpose |
|---|---|
cmd/grype/ |
CLI entry point and subcommands (db, explain, completion, root scan command). |
grype/ |
Core library: matchers, vulnerability database access, package providers, presenters, version comparators. |
grype/db/v6/ |
Current vulnerability database schema, GORM-backed stores, and curator. |
grype/matcher/ |
Per-ecosystem matchers (apk, dpkg, rpm, java, javascript, python, golang, rust, ...). |
grype/presenter/ |
Output formats: table, JSON, CycloneDX, SARIF, template, explain. |
grype/vex/ |
VEX processing for OpenVEX and CSAF documents. |
grype/version/ |
Per-ecosystem version comparators and constraint parsers. |
internal/ |
Build-internal helpers: bus, format, log, redact, file utilities. |
test/ |
CLI, integration, install, and quality test suites. |
Where to start
- Run it: Getting started.
- Understand the moving parts: Architecture.
- Pick up a contribution: How to contribute.
- Look up a term: Glossary.
Project facts
- Language: Go (
go 1.25.8pergo.mod). - License: Apache-2.0.
- Public docs: https://oss.anchore.com/docs/guides/vulnerability/.
- Sponsor: Anchore.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.