This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Vulnerability Scanning

Vulnerability Scanning User Guide

Vulnerability scanning is the automated process of proactively identifying security weaknesses and known exploits within software and systems. This is crucial because it helps developers and organizations find and fix potential security holes before malicious actors can discover and exploit them, thus protecting data and maintaining system integrity.

Grype is an open-source vulnerability scanner specifically designed to analyze container images and filesystems. It works by comparing the software components it finds against a database of known vulnerabilities, providing a report of potential risks so they can be addressed.

  • Get Started - Install Grype, scan an SBOM and container for vulnerabilities.
  • Vulnerability Database - Learn how to manage the vulnerability database used by Grype.

1 - Data Sources

Vulnerability Data Sources

2 - Getting Started

Vulnerability Scanning Getting Started

Introduction

Grype is an easy-to-integrate open source vulnerability scanning tool for container images and filesystems.

Install the latest Grype release

Grype is provided as a single compiled executable. Issue the command for your platform to download the latest release of Grype. The full list of official and community maintained packages can be found on the installation page.

curl -sSfL <a href="https://get.anchore.io/grype">https://get.anchore.io/grype</a> | sudo sh -s &ndash; -b /usr/local/bin
brew install grype
nuget install Anchore.Grype

Once installed, ensure the grype binary is in the PATH for your system.

Scan a container for vulnerabilities

grype <image>

Scan a public container image for vulnerabilities

Run grype with default options against a small container, which will be pulled from DockerHub. Grype will also download the latest vulnerability database. The output will be a simple human-readable table.

grype alpine:latest

 ✔ Loaded image alpine:latest
 ✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9…
 ✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885…
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File metadata                   [82 locations]
   ├── ✔ File digests                    [82 files]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored
NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY
busybox        1.37.0-r12            apk   CVE-2024-58251  Low
busybox        1.37.0-r12            apk   CVE-2025-46394  Low
busybox-binsh  1.37.0-r12            apk   CVE-2024-58251  Low
busybox-binsh  1.37.0-r12            apk   CVE-2025-46394  Low
ssl_client     1.37.0-r12            apk   CVE-2024-58251  Low
ssl_client     1.37.0-r12            apk   CVE-2025-46394  Low

Scan an existing SBOM for vulnerabilities

Grype can scan containers directly, but it can also scan an existing SBOM document.

grype alpine_latest-spdx.json

Grype should give similar output to the previous table.

Create a vulnerability report in JSON format

The JSON-formatted output from Grype may be processed or visualized by other tools.

Create the vulnerability report using the --output, and via jq to make it prettier.

grype alpine:latest --output json | jq . > vuln_report.json

Example:

 ✔ Pulled image
 ✔ Loaded image alpine:latest
 ✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9869168ffced1cb25b2470a3d9fe15e
 ✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885b8c0815de3e423e5c5f789c398b45
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [82 files]
   ├── ✔ Executables                     [17 executables]
   └── ✔ File metadata                   [82 locations]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored

Create an HTML Vulnerability Report

3 - Publishing the Vulnerability Database

Publishing the Grype Vulnerability Database

TODO

4 - Vulnerability Database

Using the Grype Vulnerability Database

Introduction

Grype uses a locally cached database of known vulnerabilities when searching a container, directory, or SBOM for security vulnerabilities. Anchore collates vulnerability data from common feeds, and publishes that data online, at no cost to users.

Updating the local database

When Grype is launched, it checks for an existing vulnerability database, and looks for an updated one online. If available, Grype will automatically download the new database.

Users can manage the locally cached database with the grype db command:

Check and update the database

Manually checking for updates shouldn’t be necessary, due to Grype automatically doing this on launch. However, it is possible to force Grype to look for an updated vulnerability database.

grype db check

A message will indicate if no updates are available since the last download.

Installed DB version v6.0.2 was built on 2025-05-08T04:08:40Z
No update available

If the database is outdated, a message such as this will be displayed.

Installed DB version v6.0.2 was built on 2025-05-07T04:08:13Z
Updated DB version v6.0.2 was built on 2025-05-08T04:08:40Z
You can run 'grype db update' to update to the latest db
[0000] ERROR db upgrade available

grype db update

A short animation will show progress of downloading, uncompressing and hydrating (creating indexes on) the database. Then a message reporting the successful update will be displayed.

grype db update
 ✔ Vulnerability DB                [updated]
Vulnerability database updated to latest version!