Security Team: “I have a major Grype...with what I Syfted out of your provided image."
Developer: “Well your Grype is slowing me down...let’s tone it down a notch.”
While deploying bookstack into my local environment, this issue surfaced. It is true for many organizations today deploying images and packages in their environment.
How can this noise fatigue in the software supply chain be remedied?
Add a .gype.yaml file to the root directory of your project. This will allow grype to ignore certain CVE's that do not execute or pose a threat in your environment.
The yaml config can be as simple as below: Linux Environment
# grype.yaml
ignore:
- vulnerability: CVE-2026-32631
reason: "Platform-specific false positive. Git for Windows only; not applicable to this Linux-based image."
- vulnerability: CVE-2016-2781
reason: "Chroot escape via ioctl. Containers rely on namespaces/cgroups, not chroot, so this path isn't exploitable here."
OR
# grype.yaml
ignore:
- vulnerability: CVE-2026-32631
- vulnerability: CVE-2016-2781
This will help developers and security engineers get along better. 😃
Grype config reference:
https://oss.anchore.com/docs/reference/grype/configuration/
Top comments (0)