Grype

A vulnerability scanner for container images and filesystems. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Usage

Supports the following image sources:

• grype yourrepo/yourimage:tag: defaults to using images from a Docker daemon
• grype path/to/yourproject: a Docker tar, OCI tar, OCI directory, or generic filesystem directory

You can also explicitly specify the scheme to use:

• grype docker:yourrepo/yourimage:tag: explicitly use the Docker daemon
• grype docker-archive:path/to/yourimage.tar: use a tarball from disk for archives created from “docker save”
• grype oci-archive:path/to/yourimage.tar: use a tarball from disk for OCI archives (from Podman or otherwise)
• grype oci-dir:path/to/yourimage: read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
• grype dir:path/to/yourproject: read directly from a path on disk (any directory)
• grype sbom:path/to/syft.json: read Syft JSON from path on disk
• grype registry:yourrepo/yourimage:tag: pull image directly from a registry (no container runtime required)

You can also pipe in Syft JSON directly: syft yourimage:tag -o json | grype