{"id":"3c3e5100-0250-48d7-9ca6-3b33dffbb7a8","task":"Gate a container image deployment on Grype severity thresholds against a pre-generated SBOM","domain":"anchore.com/grype","steps":["Install Grype via the official install script","Generate an SBOM with Syft: `syft packages <image>:<tag> -o cyclonedx-json > sbom.json`","Run Grype against the SBOM: `grype sbom:sbom.json --fail-on critical` — Grype exits non-zero if any vulnerabilities at or above the threshold are found","Output results in JSON for programmatic processing: `grype sbom:sbom.json -o json > grype-report.json`","Maintain a `.grype.yaml` ignore list for accepted-risk CVEs with documented justification and expiration dates"],"gotchas":["Grype's `--fail-on` threshold applies to the highest severity found; it does not support failing on counts (e.g., more than 5 HIGH findings) — combine with `jq` to implement count-based thresholds","Grype's database is updated independently of the Grype binary; always run `grype db update` in CI before scanning to use current vulnerability data","SBOM-based scanning can miss vulnerabilities in OS packages if the SBOM was generated with a tool that does not enumerate OS-level packages; validate SBOM coverage before relying on Grype-only gating"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/3c3e5100-0250-48d7-9ca6-3b33dffbb7a8"}