| name | container-grype | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| description | Container vulnerability scanning and dependency risk assessment using Grype with CVSS severity ratings, EPSS exploit probability, and CISA KEV indicators. Use when: (1) Scanning container images and filesystems for known vulnerabilities, (2) Integrating vulnerability scanning into CI/CD pipelines with severity thresholds, (3) Analyzing SBOMs (Syft, SPDX, CycloneDX) for security risks, (4) Prioritizing remediation based on threat metrics (CVSS, EPSS, KEV), (5) Generating vulnerability reports in multiple formats (JSON, SARIF, CycloneDX) for security toolchain integration. | ||||||||
| version | 0.1.0 | ||||||||
| maintainer | SirAppSec | ||||||||
| category | devsecops | ||||||||
| tags |
|
||||||||
| frameworks |
|
||||||||
| dependencies |
|
||||||||
| references |
Grype is an open-source vulnerability scanner that identifies known security flaws in container images, filesystems, and Software Bill of Materials (SBOM) documents. It analyzes operating system packages (Alpine, Ubuntu, Red Hat, Debian) and language-specific dependencies (Java, Python, JavaScript, Ruby, Go, PHP, Rust) against vulnerability databases to detect CVEs.
Grype emphasizes actionable security insights through:
- CVSS severity ratings for risk classification
- EPSS exploit probability scores for threat assessment
- CISA Known Exploited Vulnerabilities (KEV) indicators
- Multiple output formats (table, JSON, SARIF, CycloneDX) for toolchain integration
Scan a container image:
grype <image-name>Examples:
# Scan official Docker image
grype alpine:latest
# Scan local Docker image
grype myapp:v1.2.3
# Scan filesystem directory
grype dir:/path/to/project
# Scan SBOM file
grype sbom:/path/to/sbom.json- Identify scan target: Determine what to scan (container image, filesystem, SBOM)
- Run Grype scan: Execute
grype <target>to analyze for vulnerabilities - Review findings: Examine CVE IDs, severity, CVSS scores, affected packages
- Prioritize remediation: Focus on critical/high severity, CISA KEV, high EPSS scores
- Apply fixes: Update vulnerable packages or base images
- Re-scan: Verify vulnerabilities are resolved
For automated pipeline security gates:
# Fail build if any critical vulnerabilities found
grype <image> --fail-on critical
# Fail on high or critical severities
grype <image> --fail-on high
# Output JSON for further processing
grype <image> -o json > results.jsonPipeline integration pattern:
- Build container image
- Run Grype scan with
--fail-onthreshold - If scan fails: Block deployment, alert security team
- If scan passes: Continue deployment workflow
- Archive scan results as build artifacts
Use Grype with Syft-generated SBOMs for faster re-scanning:
# Generate SBOM with Syft (separate skill: sbom-syft)
syft <image> -o json > sbom.json
# Scan SBOM with Grype (faster than re-analyzing image)
grype sbom:sbom.json
# Pipe Syft output directly to Grype
syft <image> -o json | grypeBenefits of SBOM workflow:
- Faster re-scans without re-analyzing image layers
- Share SBOMs across security tools
- Archive SBOMs for compliance and auditing
Progress:
[ ] 1. Run full Grype scan with JSON output: grype <target> -o json > results.json
[ ] 2. Use helper script to extract high-risk CVEs: ./scripts/prioritize_cves.py results.json
[ ] 3. Review CISA KEV matches (actively exploited vulnerabilities)
[ ] 4. Check EPSS scores (exploit probability) for non-KEV findings
[ ] 5. Prioritize remediation: KEV > High EPSS > CVSS Critical > CVSS High
[ ] 6. Document remediation plan with CVE IDs and affected packages
[ ] 7. Apply fixes and re-scan to verify
Work through each step systematically. Check off completed items.
Grype supports multiple output formats for different use cases:
Table (default): Human-readable console output
grype <image>JSON: Machine-parseable for automation
grype <image> -o jsonSARIF: Static Analysis Results Interchange Format for IDE integration
grype <image> -o sarifCycloneDX: SBOM format with vulnerability data
grype <image> -o cyclonedx-jsonTemplate: Custom output using Go templates
grype <image> -o template -t custom-template.tmplExclude specific file paths:
grype <image> --exclude '/usr/share/doc/**'Filter by severity:
grype <image> --only-fixed # Only show vulnerabilities with available fixesCreate .grype.yaml to suppress false positives:
ignore:
# Ignore specific CVE
- vulnerability: CVE-YYYY-XXXXX
reason: "False positive - component not used"
# Ignore CVE for specific package
- vulnerability: CVE-YYYY-ZZZZZ
package:
name: example-lib
version: 1.2.3
reason: "Risk accepted - mitigation controls in place"Update vulnerability database:
grype db updateCheck database status:
grype db statusUse specific database location:
grype <image> --db /path/to/database-
Sensitive Data Handling: Scan results may contain package names and versions that reveal application architecture. Store results securely and limit access to authorized security personnel.
-
Access Control: Grype requires Docker socket access when scanning container images. Restrict permissions to prevent unauthorized image access.
-
Audit Logging: Log all Grype scans with timestamps, target details, and operator identity for compliance and incident response. Archive scan results for historical vulnerability tracking.
-
Compliance: Regular vulnerability scanning supports SOC2, PCI-DSS, NIST 800-53, and ISO 27001 requirements. Document scan frequency and remediation SLAs.
-
Safe Defaults: Use
--fail-on criticalas minimum threshold for production deployments. Configure automated scans in CI/CD to prevent vulnerable images from reaching production.
- prioritize_cves.py - Parse Grype JSON output and prioritize CVEs by threat metrics (KEV, EPSS, CVSS)
- grype_scan.sh - Wrapper script for consistent Grype scans with logging and threshold configuration
- cvss_guide.md - CVSS severity rating system and score interpretation
- cisa_kev.md - CISA Known Exploited Vulnerabilities catalog and remediation urgency
- vulnerability_remediation.md - Common remediation patterns for dependency vulnerabilities
- grype-ci-config.yml - CI/CD pipeline configuration for Grype vulnerability scanning
- grype-config.yaml - Example Grype configuration with common ignore patterns
Scan before pushing images to registry:
# Build image
docker build -t myapp:latest .
# Scan locally before push
grype myapp:latest --fail-on critical
# If scan passes, push to registry
docker push myapp:latestRe-scan existing images for newly disclosed vulnerabilities:
# Scan all production images daily
for image in $(docker images --format '{{.Repository}}:{{.Tag}}' | grep prod); do
grype $image -o json >> daily-scan-$(date +%Y%m%d).json
doneCompare base images to choose least vulnerable option:
# Compare Alpine versions
grype alpine:3.18
grype alpine:3.19
# Compare distros
grype ubuntu:22.04
grype debian:12-slim
grype alpine:3.19- CI/CD: Integrate with GitHub Actions, GitLab CI, Jenkins, CircleCI using
--fail-onthresholds - Container Registries: Scan images from Docker Hub, ECR, GCR, ACR, Harbor
- Security Tools: Export SARIF for GitHub Security, JSON for SIEM ingestion, CycloneDX for DependencyTrack
- SDLC: Scan during build (shift-left), before deployment (quality gate), and scheduled (continuous monitoring)
Symptoms: grype db update fails with network errors
Solution:
- Check network connectivity and proxy settings
- Verify firewall allows access to Grype database sources
- Use
grype db update --verbosefor detailed error messages - Consider using offline database:
grype db import /path/to/database.tar.gz
Symptoms: Grype reports vulnerabilities in unused code or misidentified packages
Solution:
- Create
.grype.yamlignore file with specific CVE suppressions - Document justification for each ignored vulnerability
- Periodically review ignored CVEs (quarterly) to reassess risk
- Use
--only-fixedto focus on actionable findings
Symptoms: Grype scans take excessive time on large images
Solution:
- Use SBOM workflow: Generate SBOM once with Syft, re-scan SBOM with Grype
- Exclude unnecessary paths:
--exclude '/usr/share/doc/**' - Use local database cache:
grype db updatebefore batch scans - Scan base images separately to identify inherited vulnerabilities