Automic VaultAutomic Vault

brew

Install grype with Homebrew, apk, chocolatey, MacPorts, Nix, scoop, winget, zypper

Vulnerability scanner for container images and filesystems. Version 0.115.0 via Homebrew; verified 2026-06-26.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install grype

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install grype

MacPorts ports tree · security/grype/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add grype

Alpine Linux edge package indexes · grype · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#grype

nixpkgs package indexes · pkgs/by-name/gr/grype/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install grype

openSUSE Tumbleweed package metadata · grype · source: download.opensuse.org

Windows

Chocolateyverified · 92%
choco install grype

Chocolatey community package catalog · grype · source: community.chocolatey.org

Scoopverified · 92%
scoop install main/grype

Scoop official bucket manifest trees · bucket/grype.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id Anchore.Grype -e

Windows Package Manager source index · Anchore.Grype · source: cdn.winget.microsoft.com

overview

Package summary

Vulnerability scanner for container images and filesystems

Commands and aliases

  • grype

history

Project history and usage

Grype is Anchore's open-source vulnerability scanner for container images, filesystems, and SBOMs. It became part of the Syft-and-Grype toolchain: Syft catalogs what software is present, and Grype matches that inventory against vulnerability data.

Project history

Anchore created the grype repository in May 2020 and published beta releases in July 2020. The README describes a standalone CLI that scans images, directories, and SBOMs; supports major Linux distribution package ecosystems; supports language package ecosystems; and understands Docker, OCI, and Singularity image formats.

The project evolved alongside Anchore's broader open-source supply-chain tooling. Syft, created in May 2020, generates SBOMs for container images and filesystems, while Grype consumes image contents or SBOM documents to report known vulnerabilities. Anchore later moved substantial usage and reference documentation to oss.anchore.com as the tools accumulated guides, coverage matrices, CLI references, and configuration docs.

Grype's release history shows steady iteration from the 0.1.0 beta series in 2020 into frequent tagged releases. Its feature set expanded beyond simple CVE tables to include SBOM scanning, multiple output formats, risk prioritization signals such as EPSS and KEV, OpenVEX filtering and augmentation, and documented configuration-file search paths.

Adoption history

Grype's adoption tracks the rise of software supply-chain security, container scanning, and SBOM workflows. The official README and docs emphasize local CLI use, CI/CD automation, and scanning of images, directories, archives, and SBOMs. The Homebrew facts also show packaging across macOS, Linux, Windows package managers, and distribution ecosystems, which is typical for security CLIs expected to run on developer workstations and CI agents.

Anchore's open-source page presents Grype with Syft and Grant as a set of developer-friendly container-security tools. That grouping matters historically because Grype is not just a container scanner; it is part of a workflow where SBOM generation, vulnerability matching, license checks, and automation are treated as separate composable command-line steps.

How it is used

Common usage is `grype <image>` for a container image, `grype dir:.` for a directory, or `grype sbom:<path>` for an existing SBOM. The docs describe JSON output for downstream processing, database downloads for vulnerability matching, offline operation after an initial database download, and CI/CD use where pipelines can fail based on severity thresholds.

Package and security engineers care about the input source because Grype can scan Docker and OCI images, local directories, archives, and SBOM files. Its results depend on package cataloging and vulnerability database matching, so it is often paired with Syft when an explicit SBOM artifact is desired.

Why package nerds care

Grype is significant to package nerds because it turns package metadata into security decisions. It has to understand OS package managers, language package managers, image layers, SBOM formats, vulnerability identifiers, fixed-version ranges, and suppression or VEX context. That makes it a practical stress test for how well packaging metadata represents real software contents.

It also illustrates the modern CLI distribution pattern for security tools: a single compiled executable, Homebrew and other package-manager formulae, container images, CI integration, generated documentation, and a separate data-update path for the vulnerability database.

Timeline

  • 2020: anchore/grype repository created.
  • 2020: Grype 0.1.0 beta releases published.
  • 2020: anchore/syft repository created as the companion SBOM generator.
  • 2023: Grype release stream includes 0.64.x and later 0.x releases, reflecting continued pre-1.0 iteration.
  • 2025: Anchore announced a dedicated oss.anchore.com documentation home for Syft, Grype, and Grant.
  • 2026: Anchore OSS docs describe Grype guides for vulnerability scanning, scan targets, interpreting results, filtering, and database management.

Related projects

  • Syft is Anchore's companion SBOM generator and is commonly paired with Grype.
  • Grant is Anchore's related license-checking CLI.
  • Trivy, Docker Scout, and other vulnerability scanners occupy adjacent container and SBOM scanning workflows.
  • OpenVEX is supported by Grype for filtering and augmenting vulnerability results.

security posture

Risk level: red

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

Risk classifier

red risk · medium confidence · escape-surveillance-offensive

Why

  • broad file, network, media, or database tool signal
  • escape, surveillance, or offensive capability signal
  • infrastructure mutation or orchestration signal

Signals

  • text:container
  • text:image
  • text:vulnerability scanner

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
./.grype.yaml./.grype.yml./.grype/config.yaml./.grype/config.yml~/.grype.yaml~/.grype.yml$XDG_CONFIG_HOME/grype/config.yaml$XDG_CONFIG_HOME/grype/config.yml

executables

Installed executables

CommandKindExposureNote
grypecliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.115.0
manager updated2026-06-26
local dataok
upstreamcurrent
latest detectedv0.115.0

https://github.com/anchore/grype

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:grype
Version0.115.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/grype
Homepagehttps://github.com/anchore/grype
Repositoryhttps://github.com/anchore/grype
Upstream docshttps://github.com/anchore/grype#readme
LicenseApache-2.0
Source archivehttps://github.com/anchore/grype/archive/refs/tags/v0.115.0.tar.gz
Last updated2026-06-26T12:38:16Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegrype
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

grype

nix profile install nixpkgs#grype
  • normalized package name match
  • Matched by: Grype
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gr/grype/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

grype 0.111.0-r1

Vulnerability scanner for container images, filesystems, and SBOMs

https://github.com/anchore/grype

sudo apk add grype
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: grype
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Grype
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: grype from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

grype-bash-completion 0.111.0-r1

Bash completions for grype

https://github.com/anchore/grype

sudo apk add grype-bash-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: grype
  • normalized package name match
  • Matched by: Grype
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: grype-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

grype-fish-completion 0.111.0-r1

Fish completions for grype

https://github.com/anchore/grype

sudo apk add grype-fish-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: grype
  • normalized package name match
  • Matched by: Grype
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: grype-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

grype-zsh-completion 0.111.0-r1

Zsh completions for grype

https://github.com/anchore/grype

sudo apk add grype-zsh-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: grype
  • normalized package name match
  • Matched by: Grype
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: grype-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
zypper95%

grype 0.114.0-1.1

A vulnerability scanner for container images and filesystems

https://github.com/anchore/grype

sudo zypper install grype
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: grype
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Grype
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: grype from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

grype-bash-completion 0.114.0-1.1

Bash Completion for grype

https://github.com/anchore/grype

sudo zypper install grype-bash-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: grype
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Grype
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: grype-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

grype-fish-completion 0.114.0-1.1

Fish Completion for grype

https://github.com/anchore/grype

sudo zypper install grype-fish-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: grype
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Grype
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: grype-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

grype-zsh-completion 0.114.0-1.1

Zsh Completion for grype

https://github.com/anchore/grype

sudo zypper install grype-zsh-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: grype
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Grype
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: grype-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

grype

sudo port install grype
  • normalized package name match
  • Matched by: Grype
MacPorts ports tree · api.github.com · MacPorts ports tree: security/grype/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Chocolatey95%

grype

choco install grype
  • normalized package name match
  • Matched by: Grype
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: grype from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','gpg4win-vanilla'
Scoop95%

main/grype

scoop install main/grype
  • normalized package name match
  • Matched by: Grype
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/grype.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

Anchore.Grype

winget install --id Anchore.Grype -e
  • normalized package name match
  • Matched by: Grype
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Anchore.Grype from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment