The latest articles on DEV Community by TEJAS PATIL (@tejaspatil). https://dev.to/tejaspatil https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2124013%2F7d3a0b33-3fc0-436b-86df-9fe47b911825.jpeg https://dev.to/tejaspatil en TEJAS PATIL Thu, 18 Dec 2025 09:30:52 +0000 https://dev.to/tejaspatil/container-image-vulnerability-scanning-using-grype-247 https://dev.to/tejaspatil/container-image-vulnerability-scanning-using-grype-247 <p><strong>🔐 Container Image Vulnerability Scanning Using Grype</strong></p> <p>In modern DevOps workflows, container security is no longer optional. Vulnerable container images can introduce serious risks into production environments if they are not scanned properly.</p> <p>In this post, I’ll show how to use Grype, an open-source vulnerability scanner by Anchore, to scan container images easily and efficiently.</p> <p><strong>What is Grype?</strong></p> <p>Grype is a CLI tool for finding known vulnerabilities in container images and filesystems. It works by analyzing installed packages and matching them against multiple vulnerability databases.</p> <p><strong>Why Grype?</strong><br> Simple and fast CLI<br> Works with Docker and private registries<br> CI/CD friendly<br> Open source and actively maintained<br> Great alternative to Trivy</p> <p><strong>Installing Grype</strong><br> Linux Installation<br> curl -sSfL <a href="https://raw.githubusercontent.com/anchore/grype/main/install.sh" rel="noopener noreferrer">https://raw.githubusercontent.com/anchore/grype/main/install.sh</a> | sudo sh -s -- -b /usr/local/bin</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fctqj5ga7psml9htfudqz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fctqj5ga7psml9htfudqz.png" alt=" " width="800" height="155"></a><br> <strong>Verify Installation</strong><br> grype version<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54mqmxhwcerxlxi3ym8s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54mqmxhwcerxlxi3ym8s.png" alt=" " width="800" height="135"></a><br> <strong>Scanning a Container Image</strong><br> Scan a Public Image<br> grype alpine:latest</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9vskxsieqzlh9gj1l38.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9vskxsieqzlh9gj1l38.png" alt=" " width="800" height="91"></a><br> This command scans the image and displays vulnerabilities along with their severity and fix status.</p> <p><strong>Understanding the Output</strong><br> Grype reports:<br> Package name<br> Installed version<br> Vulnerability ID (CVE)<br> Severity level<br> Fixed version (if available)<br> Example output:<br> <strong>openssl 1.1.1k CVE-2023-0464 High fixed in 1.1.1t</strong></p> <p><strong>Filtering and Failing on Vulnerabilities</strong><br> Fail on High or Critical Issues<br> grype myimage:latest --fail-on high<br> This is especially useful in CI/CD pipelines to block insecure images.</p> <p><strong>Show Only Fixable Vulnerabilities</strong><br> grype myimage:latest --only-fixed</p> <p>*<em>Generating Reports json *</em><br> JSON Report<br> grype alpine:latest -o json &gt; grype-report.json</p> <p><strong>Best Practices</strong><br> Scan images early in the development lifecycle<br> Use minimal base images like alpine<br> Fix vulnerabilities before pushing images to production<br> Combine Grype with SBOM tools such as Syft<br> Automate scans in CI/CD pipelines</p> <p><strong>Conclusion</strong></p> <p>Grype is a powerful yet easy-to-use tool for container image vulnerability scanning. Its simplicity and speed make it a great choice for developers and DevOps engineers who want to improve container security without complex setup.</p> <p>If you are looking for a clean and reliable alternative to other scanners, Grype is definitely worth trying.</p> tooling containers devops security