anchore

anchore/grype

Go Apache-2.0 DevOps

A vulnerability scanner for container images and filesystems

12.5k stars
823 forks
active
GitHub +24 / week

12.5k

Stars

823

Forks

376

Open issues

30

Contributors

v0.115.0 26 Jun 2026

AI Analysis

Grype is a vulnerability scanner that analyzes container images, filesystems, and SBOMs against known vulnerability databases. It serves DevOps teams, security engineers, and container platform operators who need rapid vulnerability detection across multiple OS and language package ecosystems. It is not a general-purpose tool—it is purpose-built for supply chain security workflows in containerized environments.

DevOps Security Tool Discovery value: 3/10
Documentation 8/10
Activity 9/10
Community 9/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

vulnerability-scanning container-security sbom-analysis supply-chain-security go-cli
Actively maintained Well documented Niche/specialized use case Popular Production ready
Deep Analysis · Based on README and public signals
3w ago

Grype: A mature, actively maintained open-source vulnerability scanner for containers and filesystems

Grype is an open-source vulnerability scanner developed by Anchore that identifies known CVEs in container images, filesystems, and SBOMs. It targets security engineers, DevSecOps teams, and platform engineers who need CLI-first, pipeline-friendly vulnerability scanning across OS and language packages. With 12k+ stars, active corporate sponsorship from Anchore, and deep integration with Syft (its companion SBOM tool), Grype occupies a credible second position in its category. It is genuinely used in CI/CD pipelines and Kubernetes environments where teams prioritize the Anchore ecosystem or want SBOM-driven scanning workflows.

Origin

Created in May 2020 by Anchore as a standalone OSS companion to their commercial platform. It emerged alongside the SBOM movement, maturing rapidly as container security became a compliance requirement.

Growth

Growth was driven by the broader DevSecOps adoption wave, the US executive order on software supply chain security (2021), and tight integration with Syft. Grype benefits from Anchore's commercial investment and a community that values its composable CLI design. Star growth has plateaued somewhat relative to Trivy, but 61 stars in 7 days signals continued organic interest as of mid-2026.

In production

Grype is included in several major CI/CD templates, Homebrew, Chocolatey, and Docker-based workflows documented publicly. Anchore's commercial enterprise product builds on the same OSS core, implying production-grade pressure on the codebase. Specific third-party production deployment numbers are not publicly documented, but integration with GitHub Actions, Kubernetes tooling, and policy engines (e.g., OPA) is referenced across the ecosystem.

Code analysis
Architecture

Appears to follow a modular Go architecture: a package cataloging layer (likely delegated to Syft), a vulnerability database layer with offline-capable DB downloads, and a matching engine that maps packages to CVEs. Based on README, it supports multiple input formats (images, directories, SBOMs) and multiple output formats. The separation of SBOM generation (Syft) and vulnerability matching (Grype) suggests a composable pipeline design.

Tests

README references Static Analysis, Unit, and Integration CI badges, and a Validations workflow — suggesting meaningful automated test coverage exists, though specific coverage percentages are not documented in README.

Maintenance

Last push was June 19, 2026 — two days before the evaluation date. This indicates active, ongoing maintenance. Commercial backing from Anchore reduces abandonment risk. Community meeting cadence documented in README further supports active stewardship.

Honest verdict

ADOPT IF: you are building SBOM-driven supply chain security workflows, are already in the Anchore ecosystem, or need a composable CLI tool that pairs well with Syft for pipeline integration. AVOID IF: you need a single tool covering IaC scanning, secrets detection, and Kubernetes misconfigurations — Trivy covers more surface area. MONITOR IF: you are evaluating container security tooling and want to track whether Grype's VEX/EPSS/KEV prioritization features mature into a meaningful differentiator over Trivy.

Independent dimensions

Mainstream potential

5/10

Technical importance

8/10

Adoption evidence

6/10

Risks
  • Trivy continues to expand its feature surface and community lead, making it harder for Grype to attract new adopters who are starting fresh.
  • Anchore's commercial priorities could influence OSS roadmap direction, potentially deprioritizing features that do not align with enterprise product goals.
  • Vulnerability database freshness and accuracy depend on Anchore's data pipeline; any lag or gap in CVE coverage directly degrades scanner utility.
  • No native Kubernetes operator or continuous scanning mode means Grype alone does not address runtime or in-cluster scanning scenarios without additional tooling.
  • The SBOM-first positioning is a genuine differentiator but also narrows the addressable audience to teams with mature supply chain practices, which may limit mainstream growth.
Prediction

Grype will likely maintain a stable, commercially-backed position as the second major OSS container vulnerability scanner, growing steadily within the Anchore ecosystem and SBOM-aware DevSecOps communities rather than closing the gap with Trivy.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Go
97%
Go Template
1.6%
Shell
1.1%
Makefile
0.2%
Python
0.1%
Dockerfile
0%

Information

Language
Go
License
Apache-2.0
Last updated
18h ago
Created
75mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

anchore

anchore/syft

Syft is a CLI tool and Go library for generating Software Bill of Materials...

9.2k Go DevOps
aquasecurity

aquasecurity/trivy

Trivy is a comprehensive security scanner for finding vulnerabilities,...

36.9k Go DevOps
quay

quay/clair

Clair is a static analysis tool that scans OCI and Docker container images for...

11k Go DevOps
cr0hn

cr0hn/dockerscan

DockerScan v2.0 is a Go-based security scanner for Docker containers and...

1.7k Go DevOps
goodwithtech

goodwithtech/dockle

Dockle is a container image linter that scans Docker images for security...

3.3k Go Security
vs. alternatives
aquasecurity/trivy

Trivy is the dominant tool in this category with ~3x the stars and broader scan surface (including IaC, secrets, and Kubernetes misconfigurations). It has larger community adoption and more integrations. Grype differentiates on SBOM-first workflows via Syft and tighter Anchore ecosystem integration. Teams already using Trivy have little reason to switch, but Grype is a credible alternative especially when SBOM-driven scanning is the priority.

quay/clair

Clair is older, server-based, and primarily designed as a backend service for container registries. Grype is more CLI- and CI-friendly. Clair's architecture requires infrastructure; Grype works as a single binary. Clair adoption appears to be declining in favor of newer tools.

anchore/syft

Syft is Grype's companion SBOM generator, not a direct competitor. The two tools are designed to be composed: Syft produces SBOMs, Grype scans them. Using both together is the intended workflow and a genuine differentiator for the Anchore ecosystem.

aquasecurity/trivy-operator

Trivy-operator is a Kubernetes-native controller for continuous scanning, a use case Grype does not natively address. Teams wanting in-cluster continuous scanning tend toward Trivy-operator; Grype is better suited for shift-left CI pipeline scanning.

aquasecurity/trivy-action

Trivy-action is a GitHub Actions wrapper for Trivy with high adoption in GitHub-centric workflows. Grype also has GitHub Actions support but has lower GitHub Actions marketplace traction. For GitHub-native teams, Trivy-action may be a lower-friction choice.