A vulnerability scanner for container images and filesystems
12.5k
Stars
823
Forks
376
Open issues
30
Contributors
AI Analysis
Grype is a vulnerability scanner that analyzes container images, filesystems, and SBOMs against known vulnerability databases. It serves DevOps teams, security engineers, and container platform operators who need rapid vulnerability detection across multiple OS and language package ecosystems. It is not a general-purpose tool—it is purpose-built for supply chain security workflows in containerized environments.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Grype: A mature, actively maintained open-source vulnerability scanner for containers and filesystems
Grype is an open-source vulnerability scanner developed by Anchore that identifies known CVEs in container images, filesystems, and SBOMs. It targets security engineers, DevSecOps teams, and platform engineers who need CLI-first, pipeline-friendly vulnerability scanning across OS and language packages. With 12k+ stars, active corporate sponsorship from Anchore, and deep integration with Syft (its companion SBOM tool), Grype occupies a credible second position in its category. It is genuinely used in CI/CD pipelines and Kubernetes environments where teams prioritize the Anchore ecosystem or want SBOM-driven scanning workflows.
Created in May 2020 by Anchore as a standalone OSS companion to their commercial platform. It emerged alongside the SBOM movement, maturing rapidly as container security became a compliance requirement.
Growth was driven by the broader DevSecOps adoption wave, the US executive order on software supply chain security (2021), and tight integration with Syft. Grype benefits from Anchore's commercial investment and a community that values its composable CLI design. Star growth has plateaued somewhat relative to Trivy, but 61 stars in 7 days signals continued organic interest as of mid-2026.
Grype is included in several major CI/CD templates, Homebrew, Chocolatey, and Docker-based workflows documented publicly. Anchore's commercial enterprise product builds on the same OSS core, implying production-grade pressure on the codebase. Specific third-party production deployment numbers are not publicly documented, but integration with GitHub Actions, Kubernetes tooling, and policy engines (e.g., OPA) is referenced across the ecosystem.
Appears to follow a modular Go architecture: a package cataloging layer (likely delegated to Syft), a vulnerability database layer with offline-capable DB downloads, and a matching engine that maps packages to CVEs. Based on README, it supports multiple input formats (images, directories, SBOMs) and multiple output formats. The separation of SBOM generation (Syft) and vulnerability matching (Grype) suggests a composable pipeline design.
README references Static Analysis, Unit, and Integration CI badges, and a Validations workflow — suggesting meaningful automated test coverage exists, though specific coverage percentages are not documented in README.
Last push was June 19, 2026 — two days before the evaluation date. This indicates active, ongoing maintenance. Commercial backing from Anchore reduces abandonment risk. Community meeting cadence documented in README further supports active stewardship.
ADOPT IF: you are building SBOM-driven supply chain security workflows, are already in the Anchore ecosystem, or need a composable CLI tool that pairs well with Syft for pipeline integration. AVOID IF: you need a single tool covering IaC scanning, secrets detection, and Kubernetes misconfigurations — Trivy covers more surface area. MONITOR IF: you are evaluating container security tooling and want to track whether Grype's VEX/EPSS/KEV prioritization features mature into a meaningful differentiator over Trivy.
Independent dimensions
Mainstream potential
5/10
Technical importance
8/10
Adoption evidence
6/10
- Trivy continues to expand its feature surface and community lead, making it harder for Grype to attract new adopters who are starting fresh.
- Anchore's commercial priorities could influence OSS roadmap direction, potentially deprioritizing features that do not align with enterprise product goals.
- Vulnerability database freshness and accuracy depend on Anchore's data pipeline; any lag or gap in CVE coverage directly degrades scanner utility.
- No native Kubernetes operator or continuous scanning mode means Grype alone does not address runtime or in-cluster scanning scenarios without additional tooling.
- The SBOM-first positioning is a genuine differentiator but also narrows the addressable audience to teams with mature supply chain practices, which may limit mainstream growth.
Grype will likely maintain a stable, commercially-backed position as the second major OSS container vulnerability scanner, growing steadily within the Anchore ecosystem and SBOM-aware DevSecOps communities rather than closing the gap with Trivy.
Explore similar
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Go
- License
- Apache-2.0
- Last updated
- 18h ago
- Created
- 75mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Top contributors
Similar repos
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
12.5k | +24 | Go | 8/10 | 18h ago |
|
|
9.2k | — | Go | 9/10 | 22h ago |
|
|
36.9k | — | Go | 8/10 | 23h ago |
|
|
11k | — | Go | 7/10 | 3d ago |
|
|
1.7k | — | Go | 7/10 | 10h ago |
|
|
3.3k | — | Go | 8/10 | 1w ago |
Trivy is the dominant tool in this category with ~3x the stars and broader scan surface (including IaC, secrets, and Kubernetes misconfigurations). It has larger community adoption and more integrations. Grype differentiates on SBOM-first workflows via Syft and tighter Anchore ecosystem integration. Teams already using Trivy have little reason to switch, but Grype is a credible alternative especially when SBOM-driven scanning is the priority.
Clair is older, server-based, and primarily designed as a backend service for container registries. Grype is more CLI- and CI-friendly. Clair's architecture requires infrastructure; Grype works as a single binary. Clair adoption appears to be declining in favor of newer tools.
Syft is Grype's companion SBOM generator, not a direct competitor. The two tools are designed to be composed: Syft produces SBOMs, Grype scans them. Using both together is the intended workflow and a genuine differentiator for the Anchore ecosystem.
Trivy-operator is a Kubernetes-native controller for continuous scanning, a use case Grype does not natively address. Teams wanting in-cluster continuous scanning tend toward Trivy-operator; Grype is better suited for shift-left CI pipeline scanning.
Trivy-action is a GitHub Actions wrapper for Trivy with high adoption in GitHub-centric workflows. Grype also has GitHub Actions support but has lower GitHub Actions marketplace traction. For GitHub-native teams, Trivy-action may be a lower-friction choice.
