Install Grype via the official script: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin, or via Homebrew.
Scan a Syft-generated SBOM file for vulnerabilities: grype sbom:./sbom.spdx.json to get a list of CVEs with severity, fix version, and package details.
Scan a container image directly without a pre-generated SBOM: grype docker.io/org/image:tag.
Output results in JSON for downstream processing: grype sbom:./sbom.spdx.json -o json > grype-results.json.
Output in SARIF format for GitHub code scanning upload: grype sbom:./sbom.spdx.json -o sarif > grype-results.sarif.
Set a severity threshold to fail CI on high or critical findings: grype sbom:./sbom.spdx.json --fail-on high; a non-zero exit code indicates findings above the threshold.
Known gotchas
Grype downloads and caches a local vulnerability database on first run; in air-gapped environments, pre-fetch the database and configure the GRYPE_DB_CACHE_DIR environment variable to point to it.
Grype matches packages by purl and CPE; packages with non-standard metadata in their SBOM may not match known advisories, producing false negatives rather than false positives.
The --fail-on flag only considers the severity of matched vulnerabilities, not their fix availability; a critical vulnerability with no fix will still fail the build.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp