Grype (Anchore)
Open-source vulnerability scanner for container images and filesystems, built by Anchore. Grype scans container images, directories, SBOMs, and archives against multiple vulnerability databases (NVD, GitHub Advisory, OS distro databases). Pairs with Syft (SBOM generator). No REST API — runs as CLI or Go library. Used in CI/CD pipelines and agent security scanning workflows.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Open-source (Apache 2.0) — fully auditable. Runs locally — no data sent to external services. Vulnerability databases sourced from NVD, GHSA, and OS distro advisories. No API keys or credentials stored. Anchore team has strong security reputation.
⚡ Reliability
Best When
You need fast, open-source vulnerability scanning of container images and SBOMs in CI/CD pipelines without licensing costs or API dependencies.
Avoid When
You need a managed API-based scanning service with a dashboard, compliance reporting, or real-time monitoring — use Snyk or Anchore Enterprise.
Use Cases
- • Scan container images for known CVEs in agent-driven CI/CD pipelines using Grype CLI or Go library integration
- • Generate and scan SBOMs (via Syft) to audit AI tool dependency supply chains for vulnerable packages
- • Automate vulnerability gating — fail CI builds or agent deployments when high-severity CVEs are detected in container images
- • Scan local filesystem or Python/Node package lock files for vulnerabilities in agent code dependencies
- • Integrate Grype into agent security workflows that evaluate third-party tool safety before deployment
Not For
- • SAST (static application security testing) — Grype scans for known CVEs in dependencies, not code logic flaws; use Semgrep for SAST
- • Real-time API-based scanning — Grype is a CLI/library tool; for API-based scanning use Snyk or Anchore Enterprise
- • Runtime threat detection — Grype is a pre-deployment scanner; use Falco or similar for runtime container security
Interface
Authentication
No authentication — open-source CLI tool. Grype downloads vulnerability databases from public sources. Anchore Enterprise adds authentication for private registries and enterprise databases.
Pricing
Grype core is free and open-source. Anchore Enterprise wraps Grype with a managed API, web UI, and enterprise features. Vulnerability database updates are free from public sources.
Agent Metadata
Known Gotchas
- ⚠ Vulnerability database must be updated before scanning — stale databases miss recent CVEs; run `grype db update` before production scans
- ⚠ JSON output format changes between major versions — pin Grype version in CI to avoid parsing breakage
- ⚠ False positives from OS packages — base images report many low-severity OS package CVEs; configure ignore rules for acceptable risks
- ⚠ Grype exit code 1 means vulnerabilities found, not an error — agents must distinguish scan failures from policy violations
- ⚠ Scanning large images requires significant disk space for layer extraction — ensure sufficient temp space in CI environments
- ⚠ SBOM-based scanning requires Syft output in a supported format (SPDX, CycloneDX, Syft JSON) — mismatched formats cause silent scan failures
- ⚠ Private registry images require credentials configured separately via Docker credential helpers — not passed directly to Grype
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Grype (Anchore).
Scores are editorial opinions as of 2026-03-06.