Vulnerability Database
TL;DR
- Grype uses a locally cached database of known vulnerabilities
- Database auto-updates on each Grype launch when newer version is available
- Manage manually with
grype db checkandgrype db update - Database published by Anchore at no cost from multiple upstream feeds
Grype uses a locally cached database of known vulnerabilities when searching a container, directory, or SBOM for security vulnerabilities. Anchore collates vulnerability data from common feeds, and publishes that data online, at no cost to users.
Learn more
Find out more about the vulnerability data sources at Vulnerability Data Sources.Updating the local database
When Grype is launched, it checks for an existing vulnerability database, and looks for an updated one online. If available, Grype will automatically download the new database.
Database age validation
Grype will automatically fail scans if the vulnerability database is more than 5 days old.
You can disable this behavior or adjust the age threshold in your configuration:
- Set
db.validate-age: falseto disable age validation - Adjust
db.max-allowed-built-ageto change the threshold (e.g.,168hfor 7 days)
To update the database manually, use the following command:
grype db update
If instead, you would like to simply check if a new DB is available without actually updating, use:
grype db check
This will return 0 if the database is up to date, and 1 if an update is available.
Or, you can delete the local database entirely:
grype db delete
Searching the database
The Grype vulnerability database contains detailed information about vulnerabilities and affected packages across all supported ecosystems.
While you can examine the raw SQLite database directly (use grype db status to find the local storage path),
the grype db search commands provide a much easier way to explore what’s in the database.
Search tips
For both affected package and vulnerability searches, keep these tips in mind:
- Result limit: By default, searches return up to 5,000 results. Use
--limit 0for unlimited results. - JSON output: Add
--output jsonfor programmatic processing of results.
Search for affected packages
Use grype db search to find packages affected by vulnerabilities. This is useful when you want to understand
what packages are impacted by a specific CVE, or when you want to see all vulnerabilities affecting a particular package.
For example, to find all packages affected by Log4Shell across all ecosystems:
grype db search --vuln CVE-2021-44228
To find all vulnerable versions of the log4j package:
grype db search --pkg log4j
To search by PURL or CPE formats:
grype db search --pkg 'pkg:rpm/redhat/openssl'
grype db search --pkg 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*:*:*'
Any version value provided will be ignored entirely.
You can also use these options in combination to filter results further (finding the common intersection); in this example, finding packages named “openssl” in Alpine Linux 3.18 that have fixes available:
grype db search --pkg openssl --distro alpine-3.18 --fixed-state fixed
Search for vulnerabilities
Use grype db search vuln to look up vulnerability details directly, including descriptions, severity ratings, and data sources.
This is subtly different from searching for affected packages, as it focuses on the vulnerabilities themselves, so you can find information about vulnerabilities that may not affect any packages (there are a few reasons why this could happen.)
To view full metadata for a specific CVE:
grype db search vuln CVE-2021-44228
To filter by data provider:
grype db search vuln CVE-2021-44228 --provider nvd
Next steps
Explore more
Generate SBOMs with Syft to enable faster vulnerability scanning workflows.Now that you understand how Grype’s vulnerability database works, here are additional resources:
- Scan targets: Learn about all supported scan targets Grype can analyze
- Filter results: Use result filtering to focus on actionable findings
- Data sources: Explore vulnerability data sources for details on each feed
- License scanning: Check dependency licenses with Grant