Analyze the vulnerabilities of your Docker containers with Grype

It’s the middle of winter, and all the usual elderly folks are now vaccinated against the flu. That’s great, Raoult Raoul!

But have you thought about the health of your Docker images? Yes, because by downloading numerous old and unmaintained containers, you unknowingly introduce vulnerabilities into your containers.

So, how do you find out about these vulnerabilities? Well, thanks to Grype. It’s not a virus but an incredible vulnerability scanner that can scan Docker, OCI, and Singularity container images and file systems.

This tool is capable of detecting vulnerabilities in containerized operating systems such as Alpine, Amazon Linux, BusyBox, CentOS, Debian, Ubuntu, and also in development languages like Ruby, Java, JavaScript, Python, .NET, Golang, and not forgetting PHP!

To install it, you can download the binary from GitHub or run the following Curl command:

curl -sSfL | sh -s -- -b /usr/local/bin

If you’re on a Mac, besides being a handsome guy, you can also install it with Brew:

brew tap anchore/grype
brew install grype

Then, to launch it, nothing could be simpler. You just call the command, followed by the name of the Docker image as found on, for example. Here is an example of scanning with this image from the Balena editor:

./grype balena/open-balena-vpn

And to see only the existing vulnerabilities for which there is a fix, you can also add the following parameter:

./grype balena/open-balena-vpn --only-fixed

By default, Grype only scans the visible vulnerabilities of the container. But if you want to conduct a deeper analysis and scan all the layers of the same container, add the following parameter:

./grype balena/open-balena-vpn --scope all-layers

In terms of exports, you can output all this as a table in the terminal, or as a JSON or XML report, and then query it with tools like jq.

Using Grype also allows for a high level of customization. You can define the scope of the search with expressions to include or exclude certain files or directories.

Another major advantage of Grype is its ability to integrate external data sources for better vulnerability matching. For example, it can analyze data from databases such as Alpine Linux SecDB or Debian Linux CVE Tracker to provide you with even more accurate information about potential vulnerabilities in your image.

Speaking of integration, if you’re working with GitHub and using GitHub Actions, Grype integrates seamlessly to run vulnerability scans during your CI workflows, keeping your code and containers safe every step of the way.

In short, Grype is an essential tool for anyone who wants to ensure the security and integrity of their Docker images and beyond. Whether it’s identifying vulnerabilities or taking advantage of advanced features such as external data sources and GitHub action integration, Grype is a valuable ally in the ongoing fight against potential vulnerabilities that can compromise your infrastructure.

Find out more here.

Mohamed SAKHRI
Mohamed SAKHRI

I'm the creator and editor-in-chief of Tech To Geek. Through this little blog, I share with you my passion for technology. I specialize in various operating systems such as Windows, Linux, macOS, and Android, focusing on providing practical and valuable guides.

Articles: 1378

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *