Grype

Grype
Grype
Developer	Anchore
Written in	Go
Operating system	Cross-platform
Type	Vulnerability scanner
License	Apache License 2.0
Website	github.com/anchore/grype

Grype is an open-source vulnerability scanner designed to identify known security vulnerabilities in container images, filesystems, and software artifacts. It is commonly used in DevOps and cloud-native environments to detect vulnerabilities in operating system packages and language-specific dependencies prior to deployment. Grype scans container images and filesystems by comparing installed packages against vulnerability databases, and supports scanning images stored locally or in remote registries, as well as extracted file systems and software bill of materials (SBOMs).^[1]^[2]

Grype is developed and maintained by Anchore and is distributed as a command-line interface (CLI) tool.^[3] It can be used for periodic scanning of deployed containers to identify newly introduced vulnerabilities, as well as for automated scanning within development pipelines to detect vulnerabilities before containers are promoted to production.^[4]

Grype supports multiple Linux distributions, including Alpine, Debian, Ubuntu, Red Hat Enterprise Linux (RHEL), and Amazon Linux, as well as language-specific ecosystems such as Java, Python, JavaScript, Ruby, and Go.^[1]

History and development

Grype was originally released in October 2020 ^[5] as an open-source vulnerability scanning tool by Anchore as part of its broader container security tooling ecosystem. It replaced the now-deprecated Anchore Inline Scanning script, which reached end-of-life in 2022.^[6] It was developed alongside Syft, an open-source software bill of materials (SBOM) generation tool, with the goal of improving visibility into software dependencies and associated vulnerabilities in containerized environments.^[3]

As containerized application deployment and software supply chain security practices expanded, tools such as Grype were increasingly used to scan both container images and filesystems for known vulnerabilities.^[6]

References

^ ^a ^b "Grype: Open-source vulnerability scanner for container images, filesystems". Help Net Security. 2024-07-18. Retrieved 2026-01-06.
^ "How to find vulnerabilities in containers and files with Grype". How-To Geek. 2022-02-08. Retrieved 2026-01-06.
^ ^a ^b "Open Source Project of the Week: Syft and Grype". SD Times. 2021-10-22. Retrieved 2026-01-06.
^ "11 open source automated penetration testing tools". TechTarget. 2023-05-15. Retrieved 2026-01-06.
^ "Anchore unveils new open source tools Syft and Grype for automated DevSecOps pipeline security". Open Source For You. 2020-10-06. Retrieved 2026-01-06.
^ ^a ^b "Scan container images for vulnerabilities with Grype". The New Stack. 2021-11-02. Retrieved 2026-01-06.

External links

grype on GitHub

[helpnetsecurity-grype-2024-1] "Grype: Open-source vulnerability scanner for container images, filesystems". Help Net Security. 2024-07-18. Retrieved 2026-01-06.

[howtogeek-grype-2] "How to find vulnerabilities in containers and files with Grype". How-To Geek. 2022-02-08. Retrieved 2026-01-06.

[sdtimes-syft-grype-3] "Open Source Project of the Week: Syft and Grype". SD Times. 2021-10-22. Retrieved 2026-01-06.

[techtarget-oss-pentest-4] "11 open source automated penetration testing tools". TechTarget. 2023-05-15. Retrieved 2026-01-06.

[opensourceforu-anchore-grype-5] "Anchore unveils new open source tools Syft and Grype for automated DevSecOps pipeline security". Open Source For You. 2020-10-06. Retrieved 2026-01-06.

[newstack-grype-6] "Scan container images for vulnerabilities with Grype". The New Stack. 2021-11-02. Retrieved 2026-01-06.

[1]