Run syft against a container image or directory to generate an SBOM in the cyclonedx-json or spdx-json format
Pass the generated SBOM file directly to grype as input instead of rescanning the image to ensure consistency
Review the grype output and filter by severity to identify critical and high findings requiring remediation
Configure a grype ignore file to suppress accepted findings with justification comments
Export grype results in JSON format for integration with a vulnerability management or ticketing system
Store both the SBOM and the scan results as build artifacts tied to the same artifact digest
Known gotchas
Scanning an SBOM rather than the live image means grype can only match vulnerabilities to packages the SBOM recorded; if the SBOM is incomplete, vulnerabilities in unlisted packages will be missed
Grype's vulnerability database must match the SBOM format's package type fields; unknown ecosystems in the SBOM may produce no matches even when vulnerabilities exist
SBOM-driven scans do not detect runtime vulnerabilities in interpreted scripts or dynamically loaded modules that are not represented as package metadata
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp