Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based operating systems.
Features of Grype Vulnerability Scanner For Container Images & Filesystems
Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:
- Alpine
- BusyBox
- CentOS / Red Hat
- Debian
- Ubuntu
Find vulnerabilities for language-specific packages:
- Ruby (Bundler)
- Java (JARs, etc)
- JavaScript (NPM/Yarn)
- Python (Egg/Wheel)
- Python pip/requirements.txt/setup.py listings
Supports Docker and OCI image formats
Using Grype Vulnerability Scanner For Container Images & Filesystems
To scan for vulnerabilities in an image:
1 | grype <image> |
Grype can scan a variety of sources beyond those found in Docker.
1 2 3 4 5 | # scan a container image archive (from the result of `docker image save …`, `podman save …`, or `skopeo copy` commands) grype path/to/image.tar # scan a directory grype dir:path/to/dir |
The output format for Grype is configurable as well:
1 | grype <image> -o <format> |
Where the formats available are:
- json: Use this to get as much information out of Grype as possible!
- cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
- table: A columnar summary (default).
You can download Grype here:
Or read more here.