This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Grype is an open-source vulnerability scanner designed to identify known security vulnerabilities in container images, filesystems, and software artifacts. It is commonly used in DevOps and cloud-native environments to detect vulnerabilities in operating system packages and language-specific dependencies prior to deployment. Grype scans container images and filesystems by comparing installed packages against vulnerability databases, and supports scanning images stored locally or in remote registries, as well as extracted file systems and software bill of materials (SBOMs).[1][2]
| Grype | |
|---|---|
| Developer | Anchore |
| Written in | Go |
| Operating system | Cross-platform |
| Type | Vulnerability scanner |
| License | Apache License 2.0 |
| Website | github |
Grype is developed and maintained by Anchore and is distributed as a command-line interface (CLI) tool.[3] It can be used for periodic scanning of deployed containers to identify newly introduced vulnerabilities, as well as for automated scanning within development pipelines to detect vulnerabilities before containers are promoted to production.[4]
Grype supports multiple Linux distributions, including Alpine, Debian, Ubuntu, Red Hat Enterprise Linux (RHEL), and Amazon Linux, as well as language-specific ecosystems such as Java, Python, JavaScript, Ruby, and Go.[1]
History and development
editGrype was originally released in October 2020 [5] as an open-source vulnerability scanning tool by Anchore as part of its broader container security tooling ecosystem. It replaced the now-deprecated Anchore Inline Scanning script, which reached end-of-life in 2022.[6] It was developed alongside Syft, an open-source software bill of materials (SBOM) generation tool, with the goal of improving visibility into software dependencies and associated vulnerabilities in containerized environments.[3]
As containerized application deployment and software supply chain security practices expanded, tools such as Grype were increasingly used to scan both container images and filesystems for known vulnerabilities.[6]
References
edit- 1 2 "Grype: Open-source vulnerability scanner for container images, filesystems". Help Net Security. 2024-07-18. Retrieved 2026-01-06.
- ↑ "How to find vulnerabilities in containers and files with Grype". How-To Geek. 2022-02-08. Retrieved 2026-01-06.
- 1 2 "Open Source Project of the Week: Syft and Grype". SD Times. 2021-10-22. Retrieved 2026-01-06.
- ↑ "11 open source automated penetration testing tools". TechTarget. 2023-05-15. Retrieved 2026-01-06.
- ↑ "Anchore unveils new open source tools Syft and Grype for automated DevSecOps pipeline security". Open Source For You. 2020-10-06. Retrieved 2026-01-06.
- 1 2 "Scan container images for vulnerabilities with Grype". The New Stack. 2021-11-02. Retrieved 2026-01-06.