>
grype
Expert guidance for Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation.
#vulnerability-scanning#container-security#sbom#cve#supply-chain
terminal-skillsv1.0.0
Works with:claude-codeopenai-codexgemini-clicursor
Usage
$
✓ Installed grype v1.0.0
Getting Started
- Install the skill using the command above
- Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
- Reference the skill in your prompt
- The AI will use the skill's capabilities automatically
Example Prompts
- "Deploy the latest build to the staging environment and run smoke tests"
- "Check the CI pipeline status and summarize any recent failures"
Documentation
Overview
Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation.
Instructions
Scanning
bash
# Install
brew install grype
# Scan a container image
grype alpine:3.19
grype nginx:latest
grype ghcr.io/myorg/myapp:v1.2.3
# Scan a local directory
grype dir:./my-project
# Scan a Dockerfile / built image
docker build -t myapp .
grype myapp
# Scan an SBOM (generated by Syft)
syft myapp -o spdx-json > sbom.json
grype sbom:sbom.json
# Fail on severity threshold
grype myapp --fail-on critical # Exit 1 if critical CVEs found
grype myapp --fail-on high # Exit 1 if high or critical
# Output formats
grype myapp -o json # JSON for CI processing
grype myapp -o table # Human-readable (default)
grype myapp -o sarif # SARIF for GitHub Security tab
grype myapp -o cyclonedx # CycloneDX format
CI/CD Integration
yaml
# .github/workflows/security.yml — Scan images before deployment
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: myapp:${{ github.sha }}
output-file: sbom.spdx.json
- name: Scan for vulnerabilities
uses: anchore/scan-action@v4
id: scan
with:
image: myapp:${{ github.sha }}
fail-build: true
severity-cutoff: high
output-format: sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
Ignore Known False Positives
yaml
# .grype.yaml — Configuration and ignore rules
ignore:
# Ignore specific CVEs (with justification)
- vulnerability: CVE-2023-12345
reason: "Not exploitable in our configuration — we don't use affected feature"
- vulnerability: CVE-2023-67890
package:
name: openssl
version: 3.1.0
reason: "Patched in our custom build"
# Ignore all vulnerabilities in test dependencies
- package:
location: "**/test/**"
# Only scan for these severity levels
fail-on-severity: high
# DB update settings
db:
auto-update: true
validate-age: true
max-allowed-built-age: 120h # Re-download if DB is older than 5 days
Combining with Syft
bash
# Syft generates SBOMs, Grype scans them — powerful combination
# Generate SBOM
syft myapp:latest -o spdx-json > sbom.json
# Scan the SBOM for vulnerabilities
grype sbom:sbom.json -o json > vulnerabilities.json
# Quick pipeline: build → SBOM → scan → sign
docker build -t myapp:v1.2.3 .
syft myapp:v1.2.3 -o spdx-json > sbom.json
grype sbom:sbom.json --fail-on critical
cosign attest --predicate sbom.json --type spdxjson myapp:v1.2.3
Installation
bash
# macOS
brew install grype
# Linux
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Docker
docker run anchore/grype:latest myapp:latest
Examples
Example 1: Setting up Grype for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Grype for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Install, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting ci/cd integration issues
User request:
Grype is showing errors in our ci/cd integration. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Grype issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- Scan in CI/CD — Run Grype on every build; catch vulnerabilities before they reach production
- Fail on high/critical — Use
--fail-on highin CI; don't deploy images with known high-severity CVEs - SBOM + scan — Generate SBOM with Syft, scan with Grype, attach both to the image with Cosign
- Ignore with justification — When ignoring CVEs, document why in
.grype.yaml; auditors need to see the reasoning - Update the vulnerability DB — Grype uses a local vulnerability database; ensure it's updated daily in CI
- SARIF for GitHub — Output SARIF format and upload to GitHub Security tab; developers see CVEs inline on PRs
- Base image matters — Most CVEs come from the base image; use minimal bases (distroless, alpine, scratch) to reduce attack surface
- Scan running containers — Periodically scan deployed images; new CVEs are discovered daily against existing packages
Information
- Version
- 1.0.0
- Author
- terminal-skills
- Category
- DevOps
- License
- Apache-2.0