Grype is a vulnerability scanner for container images and filesystems. It uses the Anchore vulnerability database and supports scanning images from Docker Hub, GHCR, and other registries, as well as local directories, tarballs, and SBOMs.

• Scans container images, filesystems, and SBOMs
• Supports Docker, OCI, and registry-based images
• Integrates with syft for SBOM-driven scanning
• Outputs to table, JSON, CycloneDX, and SARIF

No setup required. Run from the shell.

grype <image-name>:<tag>               # e.g. grype nginx:latest
grype <image-name> --only-fixed        # only show vulnerabilities with available fixes
grype <image-name> --fail-on high      # exit non-zero if HIGH or above found

grype dir:<path>                       # e.g. grype dir:.

grype docker-archive:<path/to/image.tar>
grype oci-archive:<path/to/image.tar>

syft <image-name> -o json | grype

grype <image-name> --fail-on critical

grype <image-name> -o json > /output/grype-results.json
grype <image-name> -o sarif > /output/grype-results.sarif
grype <image-name> -o cyclonedx-json > /output/grype-sbom.json

• The vulnerability database is downloaded on first run and cached locally. In air-gapped or offline environments the database will be stale — run grype db update when network access is available to refresh it.
• Grype matches on package metadata present in the image or filesystem. If a package was installed outside of a package manager (e.g. compiled from source) it will not appear in results.
• False positives can occur where a package name matches a vulnerability entry but the actual code path is not present. Review matches in context before reporting.

• GitHub Repo