Grype as SCA for artifacts
October 30, 2025·190 views

🛠 Grype as SCA for artifacts

Salute, today I propose to look at another open source tool for scanning vulnerabilities in container images and file systems.

Grype works at the artifact level, not the source code level, and scans software packages.

Supports Python, JavaScript (NPM, Yarn), Java, Ruby, Golang, PHP, Rust, .NET. Docker, OCI, Singularity (SIF) images.

License type: Apache 2.0

Report formats: JSON, SARIF, CycloneDX

Grype is used in conjunction with Syft

Syft creates a list of all dependencies, which Grype checks for vulnerabilities. This allows for quick rescans without access to the source code or image

Application

curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin # Expand

grype <image:tag> # Scanning a container image

grype <image> --scope all-layers # Scanning taking into account image layers

grype dir:path/to/yourproject # Scan directory

grype sbom:./sbom.json # Scanning using the SBOM generated by Syft

grype <image> -o sarif > results.sarif # Scan with output to SARIF

grype <image> -o json > results.json # Scan with JSON output

grype --add-cpes-if-none --distro alpine:3.10 sbom:./sbom.json # Generate CPE and specify distribution

docker run --rm \ # Run docker scan

-v /var/run/docker.sock:/var/run/docker.sock \

anchore/grype:latest \

<image:tag>

Gitlab CI

stages:

- security

Syft:

stage: security

image: nixos/nix:latest

script:

- nix-shell -p syft --run "syft ${DOCKER_IMAGE}:latest -o cyclonedx-json=sbom.json"

artifacts:

paths:

- sbom.json

Gripe:

stage: security

image: nixos/nix:latest

needs: ["Syft"]

script:

- nix-shell -p grype --run "grype --fail-on high sbom:sbom.json"

Jenkins

pipeline {

agent any

stages {

stage('Grype Scan') {

steps {

sh '''

docker run --rm --volume $(pwd):/tmp/results anchore/grype:latest \

your-image:tag -o json > /tmp/results/grype_report.json

'''

}

}

}

post {

always {

archiveArtifacts artifacts: 'grype_report.json'

}

}

}

Total:

- can be used locally by a developer to check images before sending them to the registry

- has integrations: SARIF, JSON in GitLab Vulnerability Report, DefectDojo, Jira, etc.

- can scan container images, file systems, docker save and SBOM

- in addition to the standard Severity CVSS, Grype uses EPSS - probability of exploitation and KEV indicator to help prioritize

- quite often covers false positives, but after exceptions the triggers are more targeted if you configure the .grype.yaml file to suppress vulnerabilities that do not affect a specific project

- suitable on the fly for projects with Docker images and/or OCI artifacts

- covers both OS and language packs

- policies can be configured using the --fail-on flag, specifying the minimum Severity level at which the pipeline should be stopped

- results are sorted by Risk Score by default, but you can change the sorting using --sort-by, for example, by severity, epss, package

#toolchain #containersecurity #sca #sbom

#toolchain#containersecurity#sca#sbom
Open in Telegram