SYSTEM Cited by 1 source
grype¶
grype is an open-source CLI tool by Anchore (anchore/grype on GitHub) that scans a container image, filesystem, or SBOM for known vulnerabilities. It is the consumer-side companion to syft — the typical pipeline generates an SBOM with syft once, then scans it with grype repeatedly as new CVEs are published.
What grype does¶
Given a target (container image / filesystem path / SBOM file / package manifest), grype:
- Identifies components (directly scanning, or parsing a pre-generated SBOM).
- Matches each
(component, version)against its vulnerability database (aggregated from NVD, GitHub Security Advisories, distro advisory databases, and similar). - Emits a report of findings with severity + fix versions + CVE IDs.
Key practical detail: SBOM-as-input decouples scan-time from build-time. Once the SBOM is generated for a deploy, every new CVE published thereafter can be checked against the existing SBOM without rebuilding the container — useful for "which of our historical deploys were vulnerable to CVE-X when it was announced?" retrospectives.
Canonical wiki use (Zalando 2023-04-12)¶
Named as Zalando's vulnerability scanner over SBOMs:
"syft can generate an SBOM file that can be further parsed with grype to periodically scan the application's SBOMs for vulnerabilities." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game)
At Zalando, grype (or an equivalent engine running over the data-lake SBOM corpus) powers the fleet- wide vulnerability sweep pattern: query affected apps across the fleet when a new CVE lands.
Seen in¶
- sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki mention.
Related¶
- concepts/sbom-software-bill-of-materials — the input format grype consumes.
- systems/syft — the paired SBOM generator.
- systems/cyclonedx · systems/spdx — accepted SBOM formats.
- patterns/vulnerability-fleet-sweep-via-sbom-query — the downstream pattern grype supports at fleet altitude.