grype

Grype is a command-line tool that scans software for known security vulnerabilities. You point it at a container image, a folder of code, or a software inventory file, and it checks what packages are present against public databases of known security issues, then reports what it finds.

A container image is a packaged snapshot of software and its dependencies, commonly used to run applications in consistent environments across different machines. Grype can scan these images directly, which is useful for checking software before deploying it or distributing it to others. It can also scan a local directory or an SBOM (Software Bill of Materials), which is a structured list of all the components that go into a piece of software.

The tool covers a wide range of software types. On the operating system side, it recognizes packages from Linux distributions including Alpine, Debian, Ubuntu, Red Hat, Oracle Linux, and Amazon Linux. On the programming language side, it handles packages from Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust, and others. This breadth means a single scan can catch vulnerabilities across many layers of a typical software project.

Beyond listing vulnerabilities, Grype can help prioritize them using scoring systems like EPSS (a probability estimate that a vulnerability will be exploited in the wild) and KEV (a list of vulnerabilities known to be actively exploited). It also supports OpenVEX, a format for declaring that certain vulnerabilities are not exploitable in a specific context, which helps filter out results that do not actually apply.

Installation takes a single shell command, or Grype can be added through package managers like Homebrew. Running a scan is equally simple: pass it an image name or a folder path and it outputs a table of findings. The project is sponsored by Anchore and released under the Apache 2.0 license.