Another look at Grype - New Features

popey · June 26, 2025, 12:21pm

We just published a new blog: Time to Take Another Look at Grype: A Year of Major Improvements | Anchore

There’s a lot of commands in there - many in screenshots, so I thought I’d pull them all together here, for easy copy/pasting, and discussion. I do love a cool one-liner!

Installing Grype

This is way down the bottom, but it makes sense to put it here:

# Install via Homebrew (macOS/Linux)
$ brew install grype

# Install via curl
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Run your first scan
$ grype alpine:latest

Dramatically Fewer False Positives

# Before: Multiple false positives for "redis" 
$ grype redis:latest
...
CVE-2022-0543    redis    pkg:gem/redis@4.8.0

# After: Only legitimate vulnerabilities reported
$ grype redis:latest
# Clean results focused on actual Redis server vulnerabilities

Enhanced Intelligence with CISA KEV and EPSS

# Search for known exploited vulnerabilities
$ grype db search vuln CVE-2021-44228 -o json --provider nvd
 "provider": "nvd",
  "status": "active",
  "published_date": "2021-12-10T10:15:09.143Z",
  "modified_date": "2025-04-03T20:53:22.977Z",
  "known_exploited": [
   {
    "cve": "CVE-2021-44228",
    "vendor_project": "Apache",
    "product": "Log4j2",
    "date_added": "2021-12-10",
    "required_action": "For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.",
    "due_date": "2021-12-24",
    "known_ransomware_campaign_use": "known",
    "urls": [
     "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
    ],
    "cwes": [
     "CWE-20",
     "CWE-400",
     "CWE-502"
    ]
   }
  ],
 "epss": [
   {
    "cve": "CVE-2021-44228",
    "epss": 0.94358,
    "percentile": 0.99951,
    "date": "2025-06-22"
   }
  ],
  "operating_systems": null,
  "affected_packages": 0
 }

Show the new “Risk” column:

# Use an old container to illustrate the new risk score
$ grype alpine:3.11
NAME          INSTALLED   FIXED-IN   TYPE  VULNERABILITY   SEVERITY  EPSS%  RISK
zlib          1.2.11-r3   1.2.11-r4  apk   CVE-2022-37434  Critical  99.74   87.1
libcrypto1.1  1.1.1l-r0              apk   CVE-2022-2068   Critical  98.66   68.1
libssl1.1     1.1.1l-r0              apk   CVE-2022-2068   Critical  98.66   68.1
libcrypto1.1  1.1.1l-r0              apk   CVE-2023-0286   High      99.49   66.4

Database Search: Your New Best Friend

# Find all vulnerabilities affecting log4j
$ grype db search --pkg log4j
VULNERABILITY   PACKAGE  ECOSYSTEM  NAMESPACE                       VERSION CONSTRAINT
ALAS-2021-003   log4j    rpm        amazon:distro:amazonlinux:2022  < 2.15.0-1.amzn2022.0.1
CVE-2017-5645   log4j    rpm        redhat:distro:redhat:5          
CVE-2021-44228  log4j    maven      github:language:java           >= 2.0-beta9, < 2.15.0

# Search for specific vulnerability details
$ grype db search vuln CVE-2021-44228
ID              PROVIDER  PUBLISHED   SEVERITY  REFERENCE
CVE-2021-44228  debian    2021-12-10  critical  https://security-tracker.debian.org/tracker/CVE-2021-44228
CVE-2021-44228  nvd       2021-12-10  critical  https://nvd.nist.gov/vuln/detail/CVE-2021-44228
CVE-2021-44228  ubuntu    2021-12-10  high      https://ubuntu.com/security/CVE-2021-44228

# Search for vulns in a specific package/library and ecosystem
$ grype db search openssl --ecosystem rust --published-after 2024 --provider github
VULNERABILITY        PACKAGE  ECOSYSTEM   NAMESPACE             VERSION CONSTRAINT
GHSA-4fcv-w3qc-ppgg  openssl  rust-crate  github:language:rust  >=0.10.39,<0.10.72
GHSA-q445-7m23-qrmw  openssl  rust-crate  github:language:rust  <0.10.66
GHSA-rpmj-rpgj-qmpm  openssl  rust-crate  github:language:rust  >=0.10.0,<0.10.70

Configuration Profiles: Simplify Your Setup

# .grype.yaml
profiles:
  ci:
    fail-on-severity: "high"
    output: "sarif"
  development:
    fail-on-severity: "critical"
    output: "table"
  production:
    fail-on-severity: "medium"
    output: "json"
    
# Use with: grype --profile ci myimage:latest

PURL Support: Scan What You Know

# Check a specific package version
$ grype pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
NAME             INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
log4j-core       2.14.1     2.15.0    java  CVE-2021-44228  Critical

# Scan multiple PURLs from a file
$ echo "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1" | grype

Got any more?
Have you done a comparison of Grype and some other tool?
Let us know how we got on! We’d love to know!

TimBrown1611 · June 26, 2025, 12:41pm

great effort! like the grype db search
lets move forward and implement the EOL!

Topic		Replies	Views
Grype - v0.92.0 released Announcements release	0	34	May 14, 2025
Grype - v0.93.0 released Announcements release	0	11	June 10, 2025
Grype - v0.88.0 released Announcements release	1	24	March 5, 2025
Grype - v0.92.2 released Announcements release	0	37	May 21, 2025
Grype - v0.90.0 released Announcements release	1	19	March 17, 2025