{"id":"6735c903-0404-4721-b55b-f7aa7dfc159a","task":"Perform SBOM-driven vulnerability scanning with Syft and Grype","domain":"anchore.com","steps":["Run syft against a container image or directory to generate an SBOM in the cyclonedx-json or spdx-json format","Pass the generated SBOM file directly to grype as input instead of rescanning the image to ensure consistency","Review the grype output and filter by severity to identify critical and high findings requiring remediation","Configure a grype ignore file to suppress accepted findings with justification comments","Export grype results in JSON format for integration with a vulnerability management or ticketing system","Store both the SBOM and the scan results as build artifacts tied to the same artifact digest"],"gotchas":["Scanning an SBOM rather than the live image means grype can only match vulnerabilities to packages the SBOM recorded; if the SBOM is incomplete, vulnerabilities in unlisted packages will be missed","Grype's vulnerability database must match the SBOM format's package type fields; unknown ecosystems in the SBOM may produce no matches even when vulnerabilities exist","SBOM-driven scans do not detect runtime vulnerabilities in interpreted scripts or dynamically loaded modules that are not represented as package metadata"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/6735c903-0404-4721-b55b-f7aa7dfc159a"}