Scanning Container Images with Grype
Overview
Grype is an open-source vulnerability scanner from Anchore that inspects container images, filesystems, and SBOMs for known CVEs. It leverages Syft-generated SBOMs to match packages against multiple vulnerability databases including NVD, GitHub Advisories, and OS-specific feeds.
Prerequisites
- Docker or Podman installed
- Grype CLI installed (
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin) - Syft CLI (optional, for SBOM generation)
- Network access to pull vulnerability databases
Core Commands
Install Grype
# Install via script
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Verify installation
grype version
# Install via Homebrew (macOS/Linux)
brew install grypeScan Container Images
# Scan a Docker Hub image
grype nginx:latest
# Scan from Docker daemon
grype docker:myapp:1.0
# Scan a local archive
grype docker-archive:image.tar
# Scan an OCI directory
grype oci-dir:path/to/oci/
# Scan a Singularity image
grype sif:image.sif
# Scan a local directory / filesystem
grype dir:/path/to/projectOutput Formats
# Default table output
grype alpine:3.18
# JSON output for pipeline processing
grype alpine:3.18 -o json > results.json
# CycloneDX SBOM output
grype alpine:3.18 -o cyclonedx
# SARIF output for GitHub Security tab
grype alpine:3.18 -o sarif > grype.sarif
# Template-based custom output
grype alpine:3.18 -o template -t /path/to/template.tmplFiltering and Thresholds
# Fail if vulnerabilities meet or exceed a severity
grype nginx:latest --fail-on critical
# Show only fixed vulnerabilities
grype nginx:latest --only-fixed
# Show only non-fixed vulnerabilities
grype nginx:latest --only-notfixed
# Filter by severity
grype nginx:latest --only-fixed -o json | jq '[.matches[] | select(.vulnerability.severity == "High")]'
# Explain a specific CVE
grype nginx:latest --explain --id CVE-2024-1234Working with SBOMs
# Generate SBOM with Syft then scan
syft nginx:latest -o spdx-json > nginx-sbom.json
grype sbom:nginx-sbom.json
# Scan CycloneDX SBOM
grype sbom:bom.jsonConfiguration File (.grype.yaml)
# .grype.yaml
check-for-app-update: false
fail-on-severity: "high"
output: "json"
scope: "squashed" # or "all-layers"
quiet: false
ignore:
- vulnerability: CVE-2023-12345
reason: "False positive - not exploitable in our context"
- vulnerability: CVE-2023-67890
fix-state: unknown
db:
auto-update: true
cache-dir: "/tmp/grype-db"
max-allowed-built-age: 120h # 5 days
match:
java:
using-cpes: true
python:
using-cpes: true
javascript:
using-cpes: falseCI/CD Integration
# GitHub Actions
- name: Scan image with Grype
uses: anchore/scan-action@v4
with:
image: "myregistry/myapp:${{ github.sha }}"
fail-build: true
severity-cutoff: high
output-format: sarif
id: scan
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}# GitLab CI
container_scan:
stage: test
image: anchore/grype:latest
script:
- grype ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} --fail-on high -o json > grype-report.json
artifacts:
reports:
container_scanning: grype-report.jsonDatabase Management
# Check database status
grype db status
# Manually update vulnerability database
grype db update
# Delete cached database
grype db delete
# List supported database providers
grype db listKey Vulnerability Sources
| Source | Coverage |
|---|---|
| NVD | CVEs across all ecosystems |
| GitHub Advisories | Open source package vulnerabilities |
| Alpine SecDB | Alpine Linux packages |
| Amazon Linux ALAS | Amazon Linux AMI |
| Debian Security Tracker | Debian packages |
| Red Hat OVAL | RHEL, CentOS |
| Ubuntu Security | Ubuntu packages |
| Wolfi SecDB | Wolfi/Chainguard images |
Best Practices
- Pin image tags - Always scan specific digests, not
latest - Fail on severity - Set
--fail-on highorcriticalin CI gates - Use SBOMs - Generate SBOMs with Syft for reproducible scanning
- Suppress false positives - Use
.grype.yamlignore rules with documented reasons - Scan all layers - Use
--scope all-layersto catch vulnerabilities in intermediate layers - Automate database updates - Keep the vulnerability database current in CI runners
- Compare scans - Track vulnerability count over time for regression detection
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC7.1 (Monitoring), CC8.1 (Change Management)
- ISO 27001: A.14.2 (Secure Development), A.12.6 (Technical Vulnerability Mgmt)
- NIST 800-53: CM-7 (Least Functionality), SI-2 (Flaw Remediation), SC-28 (Protection at Rest)
- NIST CSF: PR.IP (Information Protection), PR.DS (Data Security)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add scanning-container-images-with-grype
# Or load dynamically via MCP
grc.load_skill("scanning-container-images-with-grype")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.