
grype
A vulnerability scanner for container images and filesystems
The Lens
Grype scans container images and filesystems for known vulnerabilities. Feed it an image or an SBOM from Syft, and it checks everything inside against vulnerability databases and tells you what is exploitable and how bad. Open source, free, and quick enough to run on every build.
It's a single Go binary with no setup beyond the first database pull. Run it in CI to fail a build when a critical CVE shows up, or against a running image to audit what you've deployed. It reads Syft's SBOM output directly, so the two together give you inventory plus vulnerabilities in one pipeline.
Grype and Syft are free. Anchore Enterprise is the paid platform on top, with centralized policy, historical tracking, and support for teams that need to prove compliance. Solo and small teams, the CLI in CI covers it. Larger orgs, the enterprise layer is about governance and audit trails, not better scanning.
The catch: vulnerability scanners are noisy. A fresh scan of a common base image can surface dozens of CVEs, many unfixable or irrelevant to how you use the software. The work isn't running Grype, it's triaging what it finds without drowning in low-priority noise.
Free vs Self-Hosted vs Paid
free self hosted paid cloudSelf-hosted (free): Grype under Apache-2.0, a Go binary that scans images, filesystems, or Syft SBOMs against vulnerability databases. Runs in CI to fail builds on critical findings.
Anchore Enterprise (paid): Centralized policy, historical tracking, and support for teams that need to prove compliance.
The call: The CLI covers scanning for most teams. Enterprise is about governance and audit trails, not better detection.
Free and open source. Anchore Enterprise adds central policy, history, and support.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
Similar Tools

Find secrets with Gitleaks 🔑

Open source secret management platform

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents

Find, verify, and analyze leaked credentials

About
- Owner
- Anchore, Inc. (Organization)
- Stars
- 12,509
- Forks
- 820
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★