Run grype <image-or-sbom-path> --output json > grype-results.json to scan and capture structured output; use an SBOM file as input (grype sbom:./sbom.cdx.json) to decouple scanning from image pulling.
Add a --fail-on <severity> flag (e.g., --fail-on high) to make Grype exit with a non-zero code when vulnerabilities at or above the threshold are found; verify the exact flag name in current Grype docs.
Create a .grype.yaml configuration file to specify ignore rules for CVEs that are not applicable (e.g., vulnerabilities in test dependencies or fixed-by-vendor status), reducing noise in the fail threshold.
Parse the JSON output in a post-scan step to produce a human-readable summary or comment on a pull request with the count and severity breakdown.
Pin the Grype vulnerability database update separately from the scan step to ensure reproducible scan results within a pipeline run.
Known gotchas
Grype's fail threshold applies to unfixed vulnerabilities by default in some configurations; verify whether your threshold counts only fixable CVEs or all CVEs, as this significantly affects pipeline pass rates.
The Grype database must be current to detect recent CVEs; in air-gapped environments, configure an internal mirror for the database (consult Grype docs for the feed configuration format).
False positives from vendored or statically linked components with wrong package metadata are common; maintain an ignore list in .grype.yaml and document justifications for each ignore entry.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp