Back to Docs
Recipe

Grype Vulnerability Scanner

Container and filesystem vulnerability scanning with Anchore Grype — find known CVEs in your images before they hit production.

Overview

Grype is a fast, open-source vulnerability scanner for container images and filesystems. It pulls from multiple CVE databases including NVD, GitHub Advisory, and distro-specific feeds. Integrate it into CI to block builds when critical vulnerabilities are detected.

Quick Start

grype dir:./my-project --fail-on critical

Scans a local directory and exits non-zero if any critical CVE is found.

Docker Image Scan

grype docker:nginx:latest -o json | jq .

Outputs a structured JSON report of all matched vulnerabilities.

CI Integration

Add Grype as a step in your pipeline. Use the --fail-on flag to enforce policy. For GitHub Actions, the official anchore/scan-action wraps Grype with SARIF output.

Key Flags

  • --fail-on — severity threshold (negligible, low, medium, high, critical)
  • -o — output format (json, table, cyclonedx, sarif)
  • --only-fixed — show only vulnerabilities with available fixes

Pro tip: Combine Grype with Syft for SBOM generation. Syft catalogs packages, Grype maps them to CVEs — together they give you full software supply chain visibility.