Getting Started

Use Grype to scan your container images, directories, or archives for known vulnerabilities.

What is Vulnerability Scanning?

Vulnerability scanning is the process of identifying known security vulnerabilities in software packages and dependencies.

For developers, it helps catch security issues early in development, before they reach production.
For organizations, it’s essential for maintaining security posture and meeting compliance requirements.

Grype is a CLI tool for scanning container images, filesystems, and SBOMs for known vulnerabilities.

Installation

Grype is provided as a single compiled executable and requires no external dependencies to run. Run the command for your platform to download the latest release.

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

brew install grype

nuget install Anchore.Grype

Check out installation guide for full list of official and community-maintained packaging options.

Scan a container image for vulnerabilities

Run grype against a small container image. Grype will download the latest vulnerability database and output simple human-readable table of packages that are vulnerable:

grype alpine:latest

 ✔ Loaded image alpine:latest
 ✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9…
 ✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885…
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File metadata                   [82 locations]
   ├── ✔ File digests                    [82 files]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored
NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY
busybox        1.37.0-r12            apk   CVE-2024-58251  Low
busybox        1.37.0-r12            apk   CVE-2025-46394  Low
busybox-binsh  1.37.0-r12            apk   CVE-2024-58251  Low
busybox-binsh  1.37.0-r12            apk   CVE-2025-46394  Low
ssl_client     1.37.0-r12            apk   CVE-2024-58251  Low
ssl_client     1.37.0-r12            apk   CVE-2025-46394  Low

Learn more

Grype supports more than just containers. Learn more about Supported Scan Targets

Scan an existing SBOM for vulnerabilities

Grype can scan container images directly, but it can also scan an existing SBOM document.

Note

This presumes you already created alpine_latest-spdx.json using Syft, or some other tool. If not, go to SBOM Generation Getting Started and create it now.

grype alpine_latest-spdx.json

Create a vulnerability report in JSON format

The JSON-formatted output from Grype can be processed or visualized by other tools.

Create the vulnerability report using the --output flag:

grype alpine:latest --output json | jq . > vuln_report.json

While the JSON is piped to the file, you’ll see progress on stderr:

 ✔ Pulled image
 ✔ Loaded image alpine:latest
 ✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9869168ffced1cb25b2470a3d9fe15e
 ✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885b8c0815de3e423e5c5f789c398b45
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [82 files]
   ├── ✔ Executables                     [17 executables]
   └── ✔ File metadata                   [82 locations]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored

FAQ

Does Grype need internet access?

Only for downloading container images and the vulnerability database. After the initial database download, scanning works offline until you update the database.

What about private container registries?

Grype supports authentication for private registries. See Private Registries.

Can I use Grype in CI/CD pipelines?

Absolutely! Grype is designed for automation. Scan images or SBOMs during builds and fail pipelines based on severity thresholds.

What data does Grype send externally?

Nothing. Grype runs entirely locally and doesn’t send any data to external services.

Next steps

Continue the guide

Next: Learn about all the different Supported scan targets Grype can analyze –from container images to local directories and SBOMs.

Now that you’ve scanned for vulnerabilities, here are additional resources:

Understand results: Learn how to interpret scan output
Filter vulnerabilities: Use result filtering to focus on actionable findings
Manage database: Keep your vulnerability database up to date

Last modified November 26, 2025: allow local too invocation (d20d613)