Verified steps

Install Grype via the official install script
Generate an SBOM with Syft: `syft packages <image>:<tag> -o cyclonedx-json > sbom.json`
Run Grype against the SBOM: `grype sbom:sbom.json --fail-on critical` — Grype exits non-zero if any vulnerabilities at or above the threshold are found
Output results in JSON for programmatic processing: `grype sbom:sbom.json -o json > grype-report.json`
Maintain a `.grype.yaml` ignore list for accepted-risk CVEs with documented justification and expiration dates

Known gotchas

Grype's `--fail-on` threshold applies to the highest severity found; it does not support failing on counts (e.g., more than 5 HIGH findings) — combine with `jq` to implement count-based thresholds
Grype's database is updated independently of the Grype binary; always run `grype db update` in CI before scanning to use current vulnerability data
SBOM-based scanning can miss vulnerabilities in OS packages if the SBOM was generated with a tool that does not enumerate OS-level packages; validate SBOM coverage before relying on Grype-only gating

aquasecurity.github.io/trivy · 5 steps · unrated

Author an OPA Gatekeeper ConstraintTemplate and Constraint to enforce image signature requirements in Kubernetes

open-policy-agent.github.io/gatekeeper · 6 steps · unrated

Generate a CycloneDX or SPDX SBOM from a container image using Syft

github.com/anchore/syft · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Gate a container image deployment on Grype severity thresholds against a pre-generated SBOM

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes