# Install grype with Homebrew, apk, chocolatey, MacPorts, Nix, scoop, winget, zypper

Vulnerability scanner for container images and filesystems. Version 0.115.0 via Homebrew; verified 2026-06-26.

## Install

```sh
sudo av install brew:grype
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install grype
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install grype
```

  Evidence: MacPorts ports tree: security/grype/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add grype
```

  Evidence: Alpine Linux edge package indexes: grype from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#grype
```

  Evidence: nixpkgs package indexes: pkgs/by-name/gr/grype/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install grype
```

  Evidence: openSUSE Tumbleweed package metadata: grype from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install grype
```

  Evidence: Chocolatey community package catalog: grype from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','gpg4win-vanilla'

- Scoop (92%):

```sh
scoop install main/grype
```

  Evidence: Scoop official bucket manifest trees: bucket/grype.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Anchore.Grype -e
```

  Evidence: Windows Package Manager source index: Anchore.Grype from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:grype
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/grype>
- **Version:** 0.115.0
- **Source summary:** Vulnerability scanner for container images and filesystems
- **Homepage:** <https://github.com/anchore/grype>
- **Repository:** <https://github.com/anchore/grype>
- **Upstream docs:** <https://github.com/anchore/grype#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/anchore/grype/archive/refs/tags/v0.115.0.tar.gz>
- **Last updated:** 2026-06-26T12:38:16Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- grype (cli)
- grype (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.115.0
- Package-manager updated: 2026-06-26
- Local data: ok
- Upstream repository: https://github.com/anchore/grype
- Upstream latest detected: v0.115.0 (current)
## Project history and usage

Grype is Anchore's open-source vulnerability scanner for container images, filesystems, and SBOMs. It became part of the Syft-and-Grype toolchain: Syft catalogs what software is present, and Grype matches that inventory against vulnerability data.

### Project history

Anchore created the grype repository in May 2020 and published beta releases in July 2020. The README describes a standalone CLI that scans images, directories, and SBOMs; supports major Linux distribution package ecosystems; supports language package ecosystems; and understands Docker, OCI, and Singularity image formats.

The project evolved alongside Anchore's broader open-source supply-chain tooling. Syft, created in May 2020, generates SBOMs for container images and filesystems, while Grype consumes image contents or SBOM documents to report known vulnerabilities. Anchore later moved substantial usage and reference documentation to oss.anchore.com as the tools accumulated guides, coverage matrices, CLI references, and configuration docs.

Grype's release history shows steady iteration from the 0.1.0 beta series in 2020 into frequent tagged releases. Its feature set expanded beyond simple CVE tables to include SBOM scanning, multiple output formats, risk prioritization signals such as EPSS and KEV, OpenVEX filtering and augmentation, and documented configuration-file search paths.

### Adoption history

Grype's adoption tracks the rise of software supply-chain security, container scanning, and SBOM workflows. The official README and docs emphasize local CLI use, CI/CD automation, and scanning of images, directories, archives, and SBOMs. The Homebrew facts also show packaging across macOS, Linux, Windows package managers, and distribution ecosystems, which is typical for security CLIs expected to run on developer workstations and CI agents.

Anchore's open-source page presents Grype with Syft and Grant as a set of developer-friendly container-security tools. That grouping matters historically because Grype is not just a container scanner; it is part of a workflow where SBOM generation, vulnerability matching, license checks, and automation are treated as separate composable command-line steps.

### How it is used

Common usage is `grype <image>` for a container image, `grype dir:.` for a directory, or `grype sbom:<path>` for an existing SBOM. The docs describe JSON output for downstream processing, database downloads for vulnerability matching, offline operation after an initial database download, and CI/CD use where pipelines can fail based on severity thresholds.

Package and security engineers care about the input source because Grype can scan Docker and OCI images, local directories, archives, and SBOM files. Its results depend on package cataloging and vulnerability database matching, so it is often paired with Syft when an explicit SBOM artifact is desired.

### Why package nerds care

Grype is significant to package nerds because it turns package metadata into security decisions. It has to understand OS package managers, language package managers, image layers, SBOM formats, vulnerability identifiers, fixed-version ranges, and suppression or VEX context. That makes it a practical stress test for how well packaging metadata represents real software contents.

It also illustrates the modern CLI distribution pattern for security tools: a single compiled executable, Homebrew and other package-manager formulae, container images, CI integration, generated documentation, and a separate data-update path for the vulnerability database.

### Timeline

- 2020: anchore/grype repository created.
- 2020: Grype 0.1.0 beta releases published.
- 2020: anchore/syft repository created as the companion SBOM generator.
- 2023: Grype release stream includes 0.64.x and later 0.x releases, reflecting continued pre-1.0 iteration.
- 2025: Anchore announced a dedicated oss.anchore.com documentation home for Syft, Grype, and Grant.
- 2026: Anchore OSS docs describe Grype guides for vulnerability scanning, scan targets, interpreting results, filtering, and database management.

### Related projects

- Syft is Anchore's companion SBOM generator and is commonly paired with Grype.
- Grant is Anchore's related license-checking CLI.
- Trivy, Docker Scout, and other vulnerability scanners occupy adjacent container and SBOM scanning workflows.
- OpenVEX is supported by Grype for filtering and augmenting vulnerability results.

### Sources

- <https://anchore.com/blog/anchore-oss-docs-have-a-new-home/>
- <https://anchore.com/opensource/>
- <https://api.github.com/repos/anchore/grype>
- <https://api.github.com/repos/anchore/grype/releases?per_page=100&page=2>
- <https://github.com/anchore/grype>
- <https://github.com/anchore/syft>
- <https://oss.anchore.com/docs/guides/vulnerability/getting-started/>
- <https://oss.anchore.com/docs/guides/vulnerability/scan-targets/>


## Security Notes

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- broad file, network, media, or database tool signal
- escape, surveillance, or offensive capability signal
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ./.grype.yaml, ./.grype.yml, ./.grype/config.yaml, ./.grype/config.yml, ~/.grype.yaml, ~/.grype.yml, $XDG_CONFIG_HOME/grype/config.yaml, $XDG_CONFIG_HOME/grype/config.yml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** grype
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - grype: normalized package name match | nixpkgs package indexes: pkgs/by-name/gr/grype/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - grype - 0.111.0-r1: normalized package name match | Alpine Linux edge package indexes: grype from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Vulnerability scanner for container images, filesystems, and SBOMs | https://github.com/anchore/grype
- apk - grype-bash-completion - 0.111.0-r1: normalized package name match | Alpine Linux edge package indexes: grype-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Bash completions for grype | https://github.com/anchore/grype
- apk - grype-fish-completion - 0.111.0-r1: normalized package name match | Alpine Linux edge package indexes: grype-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Fish completions for grype | https://github.com/anchore/grype
- apk - grype-zsh-completion - 0.111.0-r1: normalized package name match | Alpine Linux edge package indexes: grype-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Zsh completions for grype | https://github.com/anchore/grype
- zypper - grype - 0.114.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: grype from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | A vulnerability scanner for container images and filesystems | https://github.com/anchore/grype
- zypper - grype-bash-completion - 0.114.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: grype-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Bash Completion for grype | https://github.com/anchore/grype
- zypper - grype-fish-completion - 0.114.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: grype-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Fish Completion for grype | https://github.com/anchore/grype
- zypper - grype-zsh-completion - 0.114.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: grype-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Zsh Completion for grype | https://github.com/anchore/grype
- MacPorts - grype: normalized package name match | MacPorts ports tree: security/grype/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Chocolatey - grype: normalized package name match | Chocolatey community package catalog: grype from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','gpg4win-vanilla'
- Scoop - main/grype: normalized package name match | Scoop official bucket manifest trees: bucket/grype.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - Anchore.Grype: normalized package name match | Windows Package Manager source index: Anchore.Grype from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, containers, security, vulnerability-scanning.
- [nuclei](https://www.automicvault.com/pkg/brew/nuclei/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [osv-scanner](https://www.automicvault.com/pkg/brew/osv-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [terrapin-scanner](https://www.automicvault.com/pkg/brew/terrapin-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [vuls](https://www.automicvault.com/pkg/brew/vuls/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [govulncheck](https://www.automicvault.com/pkg/brew/govulncheck/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [safety](https://www.automicvault.com/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [squealer](https://www.automicvault.com/pkg/brew/squealer/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, filesystem, filesystems, scanning, security.
- [syft](https://www.automicvault.com/pkg/brew/syft/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, container, containers, images, security.

## Combined YAML source

View the package source record on GitHub. [combined/grype.yml](https://github.com/automic-vault/db/blob/main/combined/grype.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
