grype
$
npx mdskill add TerminalSkills/skills/grypeScan container images and SBOMs for CVE vulnerabilities.
- Detects known security flaws in Docker images and filesystems.
- Integrates with Syft to generate and validate SBOMs.
- Executes scans with severity thresholds to enforce CI/CD policies.
- Outputs structured JSON results for automated pipeline processing.
SKILL.md
.github/skills/grypeView on GitHub ↗
---
name: grype
description: Expert guidance for Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation.
license: Apache-2.0
compatibility: No special requirements
metadata:
author: terminal-skills
version: 1.0.0
category: devops
tags:
- vulnerability-scanning
- container-security
- sbom
- cve
- supply-chain
---
# Grype — Container Vulnerability Scanner
## Overview
Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation.
## Instructions
### Scanning
```bash
# Install
brew install grype
# Scan a container image
grype alpine:3.19
grype nginx:latest
grype ghcr.io/myorg/myapp:v1.2.3
# Scan a local directory
grype dir:./my-project
# Scan a Dockerfile / built image
docker build -t myapp .
grype myapp
# Scan an SBOM (generated by Syft)
syft myapp -o spdx-json > sbom.json
grype sbom:sbom.json
# Fail on severity threshold
grype myapp --fail-on critical # Exit 1 if critical CVEs found
grype myapp --fail-on high # Exit 1 if high or critical
# Output formats
grype myapp -o json # JSON for CI processing
grype myapp -o table # Human-readable (default)
grype myapp -o sarif # SARIF for GitHub Security tab
grype myapp -o cyclonedx # CycloneDX format
```
### CI/CD Integration
```yaml
# .github/workflows/security.yml — Scan images before deployment
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: myapp:${{ github.sha }}
output-file: sbom.spdx.json
- name: Scan for vulnerabilities
uses: anchore/scan-action@v4
id: scan
with:
image: myapp:${{ github.sha }}
fail-build: true
severity-cutoff: high
output-format: sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
```
### Ignore Known False Positives
```yaml
# .grype.yaml — Configuration and ignore rules
ignore:
# Ignore specific CVEs (with justification)
- vulnerability: CVE-2023-12345
reason: "Not exploitable in our configuration — we don't use affected feature"
- vulnerability: CVE-2023-67890
package:
name: openssl
version: 3.1.0
reason: "Patched in our custom build"
# Ignore all vulnerabilities in test dependencies
- package:
location: "**/test/**"
# Only scan for these severity levels
fail-on-severity: high
# DB update settings
db:
auto-update: true
validate-age: true
max-allowed-built-age: 120h # Re-download if DB is older than 5 days
```
### Combining with Syft
```bash
# Syft generates SBOMs, Grype scans them — powerful combination
# Generate SBOM
syft myapp:latest -o spdx-json > sbom.json
# Scan the SBOM for vulnerabilities
grype sbom:sbom.json -o json > vulnerabilities.json
# Quick pipeline: build → SBOM → scan → sign
docker build -t myapp:v1.2.3 .
syft myapp:v1.2.3 -o spdx-json > sbom.json
grype sbom:sbom.json --fail-on critical
cosign attest --predicate sbom.json --type spdxjson myapp:v1.2.3
```
## Installation
```bash
# macOS
brew install grype
# Linux
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Docker
docker run anchore/grype:latest myapp:latest
```
## Examples
### Example 1: Setting up Grype for a microservices project
**User request:**
```
I have a Node.js API and a React frontend running in Docker. Set up Grype for monitoring/deployment.
```
The agent creates the necessary configuration files based on patterns like `# Install`, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
### Example 2: Troubleshooting ci/cd integration issues
**User request:**
```
Grype is showing errors in our ci/cd integration. Here are the logs: [error output]
```
The agent analyzes the error output, identifies the root cause by cross-referencing with common Grype issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
## Guidelines
1. **Scan in CI/CD** — Run Grype on every build; catch vulnerabilities before they reach production
2. **Fail on high/critical** — Use `--fail-on high` in CI; don't deploy images with known high-severity CVEs
3. **SBOM + scan** — Generate SBOM with Syft, scan with Grype, attach both to the image with Cosign
4. **Ignore with justification** — When ignoring CVEs, document why in `.grype.yaml`; auditors need to see the reasoning
5. **Update the vulnerability DB** — Grype uses a local vulnerability database; ensure it's updated daily in CI
6. **SARIF for GitHub** — Output SARIF format and upload to GitHub Security tab; developers see CVEs inline on PRs
7. **Base image matters** — Most CVEs come from the base image; use minimal bases (distroless, alpine, scratch) to reduce attack surface
8. **Scan running containers** — Periodically scan deployed images; new CVEs are discovered daily against existing packages