anchore/grype
Systems
Grype's internal architecture is a small set of cooperating subsystems. The CLI orchestrates them; this section documents each one in detail.
The systems
| System | Purpose | Path |
|---|---|---|
| Vulnerability database | SQLite-backed vulnerability store, curator, and distribution client. | grype/db/v6/, grype/db/internal/, grype/db/build.go |
| Matcher system | Top-level orchestration of per-ecosystem matchers, fingerprint deduplication, ignore rule application. | grype/vulnerability_matcher.go, grype/match/, grype/matcher/ |
| Package providers | Translates user input (image, dir, SBOM, PURL, CPE) into []pkg.Package. |
grype/pkg/ |
| Version comparators | Per-ecosystem version parsing and constraint evaluation (apk, dpkg, rpm, semver, gem, maven, pep440, ...). | grype/version/ |
| Distro detection | Identifies the Linux distribution from os-release and applies fix channels. |
grype/distro/ |
| Presenters | Output renderers for table, JSON, CycloneDX, SARIF, template, and explain formats. | grype/presenter/, internal/format/ |
| VEX processing | OpenVEX/CSAF document parsing, match filtering, and augmentation. (Documented under features.) | grype/vex/ |
How they connect
graph TB
subgraph CLI
Root[commands.Root]
end
subgraph PkgProvider [Package providers]
SyftProv[syft_provider]
SbomProv[syft_sbom_provider]
PurlProv[purl_provider]
CpeProv[cpe_provider]
end
subgraph DB [Vulnerability database]
Distribution[v6.distribution]
Installation[v6.installation]
Reader[v6.Reader]
end
subgraph Matchers [Matcher system]
VM[VulnerabilityMatcher]
EcoMatchers[per-ecosystem matchers]
Match[match.Matches]
end
Root --> PkgProvider
Root --> DB
Root --> VM
Root --> Presenters[Presenters]
PkgProvider --> Distro[Distro detection]
Distribution --> Installation
Installation --> Reader
Reader --> VM
VM --> EcoMatchers
EcoMatchers --> Versions[Version comparators]
EcoMatchers --> Match
Match --> PresentersDesign principles visible in the code
- Each system has a small public interface and a hidden implementation. The vulnerability database exposes
vulnerability.Providerand a few sub-interfaces (EOLChecker,StoreMetadataProvider); GORM, SQL, and schema details stay insidegrype/db/v6/. - Cataloging is delegated to Syft. Grype owns matching, not parsing. Even
syft_sbom_provider.gois mostly a thin adapter that converts Syft'ssbom.SBOMinto[]pkg.Package. - Version comparison is per-ecosystem.
grype/version/is essentially a switchboard with one comparator per ecosystem; this is where most subtle false positives are caught or introduced. - Match deduplication is fingerprint-based. Independent matchers can produce overlapping results without coordination;
match.Matches.Addreconciles them via fingerprint and core-fingerprint indexes. - Filters are composable. Every filter (explicit-ignore, user-ignore, VEX) operates on
match.Matchesand produces a(remaining, ignored)pair. New filters slot in without disturbing the others.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.