grype is a tool developed by Aqua Security that can be used to scan container images for vulnerabilities and other security issues. It is designed to work with a variety of container registry services and supports integration with container orchestration platforms, such as Kubernetes.
grype uses a database of known vulnerabilities to scan container images and identify any vulnerabilities that may be present. It can be run from the command line and provides a web-based user interface for managing and analyzing scan results.
In addition to vulnerability scanning, grype also supports a number of other security features, such as runtime protection, network segmentation, and compliance checks. It is designed to provide a comprehensive security solution for containerized applications and can be used in conjunction with other tools, such as trivy, to improve the overall security posture of your containerized environments.
Scan a container image for vulnerabilities:
grype scan IMAGE_NAMEFor example, to scan an image located on Docker Hub, you can use a command like this:
grype scan docker://docker.io/library/alpine:latestScan multiple container images at once:
grype scan IMAGE_NAME1 IMAGE_NAME2 ...For example, to scan two images located on Docker Hub, you can use a command like this:
grype scan docker://docker.io/library/alpine:latest docker://docker.io/library/nginx:latestScan an image from a private registry:
grype scan registry://REGISTRY_URL/IMAGE_NAME:TAGFor example, to scan an image located at registry.example.com/myimage:latest, you can use a command like this:
grype scan registry://registry.example.com/myimage:latestScan an image and write the results to a file:
grype scan --output results.json IMAGE_NAMEFor example, to scan an image located on Docker Hub and write the results to a file named results.json, you can use a command like this:
grype scan --output results.json docker://docker.io/library/alpine:latestScan an image and receive notifications via email:
grype scan --notify-email EMAIL_ADDRESS IMAGE_NAMEFor example, to scan an image located on Docker Hub and receive notifications at user@example.com, you can use a command like this:
grype scan --notify-email user@example.com docker://docker.io/library/alpine:latestScan an image and receive notifications via Slack:
grype scan --notify-slack SLACK_WEBHOOK_URL IMAGE_NAMEFor example, to scan an image located on Docker Hub and receive notifications via a Slack webhook, you can use a command like this:
grype scan --notify-slack https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX docker://docker.io/library/alpine:latestScan an image and receive notifications via a custom webhook:
grype scan --notify-webhook WEBHOOK_URL IMAGE_NAMEFor example, to scan an image located on Docker Hub and receive notifications via a custom webhook, you can use a command like this:
grype scan --notify-webhook https://mywebhook.com/notifications docker://docker.io/library/alpine:latestScan an image and enable runtime protection:
grype scan --enable-runtime-protection IMAGE_NAMEScanning an image and excluding specific vulnerabilities:
grype scan --exclude-vulnerability VULN_1 --exclude-vulnerability VULN_2 IMAGE_NAMEScanning an image and only including vulnerabilities of a certain severity level or higher:
grype scan --severity SEVERITY_LEVEL IMAGE_NAMEScanning an image and ignoring unfixed vulnerabilities:
grype scan --ignore-unfixed IMAGE_NAMEScanning an image and using a custom vulnerability database:
grype scan --db DB_FILE IMAGE_NAME
