# anchore/grype

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/anchore-grype).**

11,591 stars · 744 forks · Go · apache-2.0

## Links

- GitHub: https://github.com/anchore/grype
- awesome-repositories: https://awesome-repositories.com/repository/anchore-grype.md

## Topics

`container-image` `containers` `cyclonedx` `docker` `go` `golang` `hacktoberfest` `oci` `openvex` `security` `static-analysis` `tool` `vex` `vulnerabilities` `vulnerability`

## Description

Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security.

The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sources, allowing for consistent vulnerability matching and offline scanning capabilities.

The scanner supports automated security workflows by generating structured vulnerability reports in formats such as JSON and CycloneDX. These outputs facilitate integration with external security pipelines, visualization dashboards, and automated oversight systems for tracking and remediating risks across software infrastructure.

## Tags

### Security & Cryptography

- [Container Security Scanners](https://awesome-repositories.com/f/security-cryptography/container-security-scanners.md) — Scans container images and filesystems to identify known vulnerabilities in installed packages and software dependencies.
- [Container Security](https://awesome-repositories.com/f/security-cryptography/container-security-scanners/container-security.md) — Identifies known vulnerabilities in container images to prevent security risks from reaching production environments.
- [Software Composition Analysis Tools](https://awesome-repositories.com/f/security-cryptography/software-composition-analysis-tools.md) — Analyzes project manifests and container layers to detect security flaws in open-source libraries and application components.
- [Vulnerability Scanning](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning.md) — Scans container images, filesystems, and manifests to identify known security flaws in installed packages and dependencies. ([source](https://oss.anchore.com/docs/guides/vulnerability/getting-started/))
- [Software Supply Chain Security](https://awesome-repositories.com/f/security-cryptography/software-supply-chain-security.md) — Analyzes project dependencies and software manifests to detect security flaws within the components used to build and deploy applications.
- [Automated Security Scanners](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/security-testing-tools/reconnaissance-assessment-platforms/automated-security-scanners.md) — Automates vulnerability detection within CI/CD pipelines to prevent insecure software from reaching production environments.
- [Static Analysis Signatures](https://awesome-repositories.com/f/security-cryptography/static-analysis-signatures.md) — Identifies installed software packages by matching filesystem contents against known vulnerability signatures and version constraints.
- [Security Reporting Tools](https://awesome-repositories.com/f/security-cryptography/security-reporting-tools.md) — Exports security scan results into structured formats to facilitate integration with visualization dashboards and automated oversight systems. ([source](https://oss.anchore.com/docs/guides/vulnerability/getting-started/))
- [Security Vulnerability Reporting](https://awesome-repositories.com/f/security-cryptography/security-vulnerability-reporting.md) — Generates detailed reports on identified security flaws to help teams track, prioritize, and remediate risks across software infrastructure.
- [Synchronization Utilities](https://awesome-repositories.com/f/security-cryptography/security/offensive-operations/vulnerability-research-analysis/research-reference-knowledge/vulnerability-databases/synchronization-utilities.md) — Maintains a local cache of security advisories synchronized from upstream sources to enable consistent offline vulnerability matching.

### DevOps & Infrastructure

- [Image Layer Analyzers](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/image-management-tools/image-layer-analyzers.md) — Parses and decomposes container image layers to reconstruct the final filesystem state for accurate vulnerability identification.
- [Pipeline Security](https://awesome-repositories.com/f/devops-infrastructure/pipeline-security.md) — Facilitates automated security checks and oversight by exporting scan results for integration into continuous integration workflows.
- [Scan Result Exporters](https://awesome-repositories.com/f/devops-infrastructure/scan-result-interpreters/scan-result-exporters.md) — Generates structured vulnerability reports in formats like JSON and CycloneDX for integration with external security pipelines.

### Development Tools & Productivity

- [Vulnerability Dependency Graphs](https://awesome-repositories.com/f/development-tools-productivity/dependency-graph-runners/vulnerability-dependency-graphs.md) — Provides a unified dependency graph representation to enable consistent vulnerability matching across diverse package formats.