A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.
Features
Scan the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for major operating system packages:
Find vulnerabilities for language-specific packages:
If you encounter an issue, please let us know using the issue tracker.
Installation
snap install grype
Getting Started
To scan for vulnerabilities in an image:
grype <image>
The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:
grype <image> --scope all-layers
Supported sources
Grype can scan a variety of sources beyond those found in Docker.
# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar
# scan a Singularity Image Format (SIF) container
grype path/to/image.sif
# scan a directory
grype dir:path/to/dir
Sources can be explicitly provided with a scheme:
podman:yourrepo/yourimage:tag use images from the Podman daemon
docker:yourrepo/yourimage:tag use images from the Docker daemon
docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
dir:path/to/yourproject read directly from a path on disk (any directory)
sbom:path/to/syft.json read Syft JSON from path on disk
registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
If an image source is not provided and cannot be detected from the given reference it is assumed the image should be pulled from the Docker daemon. If docker is not present, then the Podman daemon is attempted next, followed by reaching out directly to the image registry last.
Output Formats
The output format for Grype is configurable as well:
grype <image> -o <format>
Where the formats available are:
table: A columnar summary (default).cyclonedx: An XML report conforming to the CycloneDX 1.6 specification.cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.json: Use this to get as much information out of Grype as possible!sarif: Use this option to get a SARIF report (Static Analysis Results Interchange Format)template: Lets the user specify the output format.Documentation
Our GitHub contains further details:
https://github.com/anchore/grype
For commercial support options with Syft or Grype, please contact Anchore
This prototype Grype snap is built using the configuration here: https://github.com/popey/grype-snap
Thank you for your report. Information you provided will help us investigate further.
There was an error while sending your report. Please try again later.
You are about to open
Do you wish to proceed?
Snaps are applications packaged with all their dependencies to run on all popular Linux distributions from a single build. They update automatically and roll back gracefully.
Snaps are discoverable and installable from the Snap Store, an app store with an audience of millions.
On Arch Linux, snap can be installed from the Arch User Repository (AUR). The manual build process is the Arch-supported install method for AUR packages, and you’ll need the prerequisites installed before you can install any AUR package. You can then install snap with the following:
git clone https://aur.archlinux.org/snapd.git
cd snapd
makepkg -si
Once installed, the systemd unit that manages the main snap communication socket needs to be enabled:
sudo systemctl enable --now snapd.socket
If AppArmor is enabled in your system, enable the service which loads AppArmor profiles for snaps:
sudo systemctl enable --now snapd.apparmor.service
To enable classic snap support, enter the following to create a symbolic link between /var/lib/snapd/snap and /snap:
sudo ln -s /var/lib/snapd/snap /snap
Either log out and back in again, or restart your system, to ensure snap’s paths are updated correctly.
To install Grype - Container Vulnerability Scanner, simply use the following command:
sudo snap install grype --classic
Browse and find snaps from the convenience of your desktop using the snap store snap.
Interested to find out more about snaps? Want to publish your own application? Visit snapcraft.io now.