anchore/grype
Data models
The shapes that cross Grype's external API surface.
JSON output
The canonical output schema is defined in grype/presenter/models/. The top-level shape:
{
"matches": [Match, ...],
"ignoredMatches": [IgnoredMatch, ...],
"source": Source,
"distro": Distro,
"descriptor": {
"name": "grype",
"version": "<semver>",
"configuration": Configuration,
"db": DBStatus
}
}A representative matches[i]:
{
"vulnerability": {
"id": "CVE-2024-12345",
"dataSource": "https://...",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [...],
"description": "...",
"cvss": [...],
"fix": { "versions": ["1.2.4"], "state": "fixed" },
"advisories": [...],
"epss": [...],
"kev": [...]
},
"relatedVulnerabilities": [...],
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "stock-matcher",
"searchedBy": { "...": "..." },
"found": { "...": "..." },
"fix": { "...": "..." }
}
],
"artifact": {
"name": "...",
"version": "...",
"type": "...",
"locations": [...],
"language": "...",
"licenses": [...],
"cpes": [...],
"purl": "..."
}
}The schema is generated from the model types via cmd/grype/cli/commands/internal/jsonschema/. task generate-json-schema regenerates it; task check-json-schema-drift validates that the committed schema matches the current code.
Match details
Each matchDetails[i].type is one of:
exact-direct-match— the vulnerability matched the package directly.exact-indirect-match— matched via an upstream/source package.cpe-match— matched via CPE (typically NVD).fuzzy-match— approximate version comparison (rare).
Ignored matches
ignoredMatches[i] has the same shape as a regular match, plus appliedIgnoreRules — the array of rules that caused the suppression. Useful for auditing.
Database descriptor
{
"schemaVersion": "6",
"from": "https://grype.anchore.io/databases/v6/listing.json",
"built": "2026-04-29T00:00:00Z",
"path": "/home/.../vulnerability.db",
"valid": true,
}Output formats and their shape
| Format | Schema source |
|---|---|
json |
grype/presenter/models/ (this page). |
cyclonedx-json / cyclonedx-xml |
CycloneDX 1.6 with vulnerabilities array. |
embedded-cyclonedx-vex-json/xml |
CycloneDX with VEX statements per vulnerability. |
sarif |
SARIF 2.1.0. |
template |
User-supplied; receives models.Document. |
table |
Not structured. |
Internal models (not part of the public API)
pkg.Package,pkg.Context—grype/pkg/. Internal to the matcher pipeline.match.Match,match.Matches—grype/match/. Internal.vulnerability.Vulnerability—grype/vulnerability/vulnerability.go. Internal; presenters convert tomodels.*.- DB models (GORM) —
grype/db/v6/models.go. Persisted, not directly exposed. - DB blobs —
grype/db/v6/blobs.go. Persisted JSON blobs; their schemas are also generated undergrype/db/v6/schema/and validated bytask check-db-schema-drift.
The clear separation between internal models and the public JSON model means matcher refactors don't cascade into public-API breaks.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.