Install Grype using the official install script or brew install anchore/grype/grype, then run grype db update to pull the latest vulnerability database
Scan the SBOM file directly with grype sbom:./sbom-cdx.json -o json > grype-results.json; the sbom: scheme prefix tells Grype to treat the input as an SBOM rather than a container image reference
Review the matches array in the output JSON; each entry contains vulnerability ID, severity, the matched package name and version, and the fix version if available
Fail a CI pipeline on high-severity findings by adding the --fail-on high flag: grype sbom:./sbom-cdx.json --fail-on high; Grype exits with a non-zero status code when findings at or above the specified threshold exist
Use the --only-fixed flag to suppress vulnerabilities that have no available fix, reducing noise in reports where patching is not yet possible
Known gotchas
The Grype vulnerability database is cached locally and must be updated regularly (grype db update); stale databases miss recently-published CVEs and produce false confidence
Grype's composite risk scoring (CVSS + EPSS + CISA KEV) introduced improvements in version 0.79 for Red Hat and Ubuntu distro patch metadata; older versions may over-report fixed vulnerabilities on these distros
Scanning an SBOM rather than a live image means Grype cannot detect OS-level package metadata not captured by the SBOM generator; the quality of results is bounded by SBOM completeness
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp