Vulnerability scanner for container images, filesystems, files, and SBOMs, with commands to query its local vulnerability database.
$curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
Grype scans container images, directories, files, and SBOM input against a local vulnerability database to find known package vulnerabilities. It is mainly a read-side security primitive for CI, supply-chain checks, and post-build verification.
What It Enables
- Scan container images, filesystems, single files, and Syft SBOMs for known vulnerabilities across OS and language packages.
- Pipe Syft JSON or point at an SBOM directly when you want vulnerability matching without re-cataloging the target.
- Query the local vulnerability DB for advisory records, affected packages, and provider metadata before deciding what to patch or suppress.
Agent Fit
- JSON, SARIF, CycloneDX, and template output make it easy to parse findings, gate builds, or hand results to follow-up tools.
- The main scan flow is non-interactive and exposes stable exit behavior, including a dedicated threshold failure code when
--fail-onis triggered. - Best for inspect and verify loops; it tells an agent what is vulnerable, but fixing or redeploying still depends on other package, image, or deployment CLIs.
Caveats
- Results are only as current as the local vulnerability database, so stale DB state weakens unattended scans.
- Scanning remote images may require Docker, Podman, or registry access and credentials, depending on the source scheme you use.