--- name: terminal--grype description: >- Expert guidance for Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation. origin: "github.com/TerminalSkills/skills (skill: grype)" license: Apache-2.0 version: "1.0.0" compatibility: "yamtam-engine >= 0.14.0" --- # Grype — Container Vulnerability Scanner ## Overview Grype, the open-source vulnerability scanner by Anchore that finds known vulnerabilities (CVEs) in container images, filesystems, and SBOMs. Helps developers integrate Grype into CI/CD pipelines, triage findings, and combine it with Syft for SBOM generation. ## Instructions ### Scanning ```bash # Install brew install grype # Scan a container image grype alpine:3.19 grype nginx:latest grype ghcr.io/myorg/myapp:v1.2.3 # Scan a local directory grype dir:./my-project # Scan a Dockerfile / built image docker build -t myapp . grype myapp # Scan an SBOM (generated by Syft) syft myapp -o spdx-json > sbom.json grype sbom:sbom.json # Fail on severity threshold grype myapp --fail-on critical # Exit 1 if critical CVEs found grype myapp --fail-on high # Exit 1 if high or critical # Output formats grype myapp -o json # JSON for CI processing grype myapp -o table # Human-readable (default) grype myapp -o sarif # SARIF for GitHub Security tab grype myapp -o cyclonedx # CycloneDX format ``` ### CI/CD Integration ```yaml # .github/workflows/security.yml — Scan images before deployment jobs: vulnerability-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build image run: docker build -t myapp:${{ github.sha }} . - name: Generate SBOM uses: anchore/sbom-action@v0 with: image: myapp:${{ github.sha }} output-file: sbom.spdx.json - name: Scan for vulnerabilities uses: anchore/scan-action@v4 id: scan with: image: myapp:${{ github.sha }} fail-build: true severity-cutoff: high output-format: sarif - name: Upload SARIF if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} ``` ### Ignore Known False Positives ```yaml # .grype.yaml — Configuration and ignore rules ignore: # Ignore specific CVEs (with justification) - vulnerability: CVE-2023-12345 reason: "Not exploitable in our configuration — we don't use affected feature" - vulnerability: CVE-2023-67890 package: name: openssl version: 3.1.0 reason: "Patched in our custom build" # Ignore all vulnerabilities in test dependencies - package: location: "**/test/**" # Only scan for these severity levels fail-on-severity: high # DB update settings db: auto-update: true validate-age: true max-allowed-built-age: 120h # Re-download if DB is older than 5 days ``` ### Combining with Syft ```bash # Syft generates SBOMs, Grype scans them — powerful combination # Generate SBOM syft myapp:latest -o spdx-json > sbom.json # Scan the SBOM for vulnerabilities grype sbom:sbom.json -o json > vulnerabilities.json # Quick pipeline: build → SBOM → scan → sign docker build -t myapp:v1.2.3 . syft myapp:v1.2.3 -o spdx-json > sbom.json grype sbom:sbom.json --fail-on critical cosign attest --predicate sbom.json --type spdxjson myapp:v1.2.3 ``` ## Installation ```bash # macOS brew install grype # Linux curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Docker docker run anchore/grype:latest myapp:latest ``` ## Examples ### Example 1: Setting up Grype for a microservices project **User request:** ``` I have a Node.js API and a React frontend running in Docker. Set up Grype for monitoring/deployment. ``` The agent creates the necessary configuration files based on patterns like `# Install`, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working. ### Example 2: Troubleshooting ci/cd integration issues **User request:** ``` Grype is showing errors in our ci/cd integration. Here are the logs: [error output] ``` The agent analyzes the error output, identifies the root cause by cross-referencing with common Grype issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks. ## Guidelines 1. **Scan in CI/CD** — Run Grype on every build; catch vulnerabilities before they reach production 2. **Fail on high/critical** — Use `--fail-on high` in CI; don't deploy images with known high-severity CVEs 3. **SBOM + scan** — Generate SBOM with Syft, scan with Grype, attach both to the image with Cosign 4. **Ignore with justification** — When ignoring CVEs, document why in `.grype.yaml`; auditors need to see the reasoning 5. **Update the vulnerability DB** — Grype uses a local vulnerability database; ensure it's updated daily in CI 6. **SARIF for GitHub** — Output SARIF format and upload to GitHub Security tab; developers see CVEs inline on PRs 7. **Base image matters** — Most CVEs come from the base image; use minimal bases (distroless, alpine, scratch) to reduce attack surface 8. **Scan running containers** — Periodically scan deployed images; new CVEs are discovered daily against existing packages