Grype is an open-source vulnerability scanning tool developed by Anchore. It is specifically designed to detect vulnerabilities in container images and file systems. In our previous post we have talked about Trivy (https://brewedbrilliance.net/scan-docker-images-for-vulnerabilities/), today we are going to talk about another important tools that enable users to identify security issues in their software supply chain by scanning artifacts like Docker images, operating system packages, and application dependencies.
What is Grype Used For?
Grype’s primary purpose is to enhance the security of containerized applications and software systems. It scans for vulnerabilities in package dependencies and configuration files, providing detailed reports about the issues it discovers.
Typical use cases for Grype include:
- DevSecOps Pipelines: Automating vulnerability scans during CI/CD workflows to ensure only secure artifacts are deployed.
- Compliance: Assisting organizations in meeting security compliance standards by identifying and addressing vulnerabilities.
- Risk Management: Helping teams assess and prioritize the remediation of vulnerabilities to reduce overall risk exposure.
Why is Grype Important?
With the growing adoption of containerized applications and microservices architectures, the risk of vulnerabilities being introduced into production environments has increased. Here’s why Grype is critical:
- Proactive Security: Grype provides early detection of vulnerabilities, allowing developers to address issues before they reach production.
- Comprehensive Coverage: It supports multiple platforms, including Docker images, Kubernetes YAML, and file systems.
- Ease of Use: Grype’s simple interface and integration capabilities make it accessible for both developers and security teams.
- Regular Updates: Grype leverages data from the National Vulnerability Database (NVD) and other sources to stay current with the latest known vulnerabilities.
How to Use Grype
Installation
Grype can be installed using various methods depending on your operating system:
For macOS:
brew install anchore/grype/grypeFor Linux:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | shFor Windows:
Download the appropriate binary from the official Grype GitHub releases page.
Basic Usage
After installation, you can start using Grype to scan artifacts. Here are some examples:
Scanning a Docker Image:
grype <image-name>Example:
grype ubuntu:20.04Scanning a File System:
grype dir:/path/to/directoryScanning an SBOM (Software Bill of Materials):
grype sbom:/path/to/sbom.jsonScanning local image
grype 1c64359810f6
where 1c64359810f6 is the ID of your image from your local repo (i.e. the result of docker images)
REPOSITORY TAG IMAGE ID CREATED SIZE
my-local-img latest 1c64359810f6 5 hours ago 131MB
Important Flags and Options
Grype offers several flags to customize scans and improve the usefulness of its results:
--output
Specifies the format of the scan results. Supported formats include table, json, and cyclonedx.
Example:
grype ubuntu:20.04 --output json--file
Allows users to specify an input file (e.g., an SBOM) instead of directly scanning an image or directory.
Example:
grype --file sbom.json--fail-on
Sets a threshold for vulnerability severity. If vulnerabilities meet or exceed this level, Grype exits with a non-zero status code, making it useful for CI/CD pipelines.
Example:
grype ubuntu:20.04 --fail-on critical--exclude
Excludes specific paths from the scan.
Example:
grype dir:/project --exclude /project/tests--scope
Defines the scope of the scan. Common options include all-layers (default) and squashed.
Example:
grype alpine:latest --scope squashedIntegrating Grype into CI/CD Pipelines
You can integrate Grype into CI/CD pipelines by including it as a step in your build process. For example, in a GitHub Actions workflow:
name: Grype Scan
on:
push:
branches:
- main
jobs:
grype-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
- name: Scan Docker Image
run: grype my-docker-image:latest --fail-on criticalConclusion
Grype is an invaluable tool for securing your software supply chain. Its ease of use, comprehensive coverage, and integration capabilities make it an essential component of any DevSecOps workflow. By proactively identifying vulnerabilities, Grype helps organizations minimize risks and ensure the delivery of secure applications. Start using Grype today to strengthen your security posture!
Share this content: