Grype

Grype is an open-source vulnerability scanner and security tool developed by Anchore. It is designed to identify known security vulnerabilities within container images and filesystems. In the context of cybersecurity and DevSecOps, Grype is a critical component of the software supply chain security strategy, enabling organizations to detect and remediate risks before software is deployed.

The tool works by cataloging the packages and libraries installed in a target (e.g., a Docker image or a directory) and matching them against a comprehensive database of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) database.

Core Capabilities of Grype

Grype is engineered for speed and accuracy, making it suitable for modern, fast-paced development environments. Its primary capabilities include:

• Container Image Scanning: Grype can analyze container images from various registries (like Docker Hub, Amazon ECR, and Google GCR) or local Docker daemons to find vulnerabilities in the operating system packages (e.g., Alpine, Debian, RedHat) and language-specific dependencies.

• Filesystem Scanning: Beyond containers, Grype can scan local directories and archives (like tar, zip, or jar files) to identify vulnerable libraries embedded within application code.

• SBOM Support: Grype is designed to consume Software Bill of Materials (SBOMs) generated by its companion tool, Syft, or other compatible generators. Scanning an SBOM is significantly faster than scanning a raw image because the "inventory" step is already complete.

• Multi-Level Database: It pulls vulnerability data from multiple upstream sources, including the National Vulnerability Database (NVD), GitHub Security Advisories, and vendor-specific security feeds (Canonical, Red Hat, Debian, etc.), ensuring broad coverage.

The Role of Grype in DevSecOps

Grype is a staple tool in the "Shift Left" security movement, where security testing is moved earlier in the software development lifecycle (SDLC).

• CI/CD Integration: Grype is frequently embedded into Continuous Integration/Continuous Deployment (CI/CD) pipelines (e.g., GitHub Actions, GitLab CI, Jenkins). It can automatically block a build if a vulnerability exceeds a specified severity threshold (e.g., Critical or High).

• Registry Monitoring: Organizations use Grype to periodically re-scan images stored in their private registries. Since new vulnerabilities are discovered daily, an image that was safe yesterday might be vulnerable today. Grype helps detect this "configuration drift."

• Compliance Validation: By generating reports on vulnerability exposure, Grype helps teams demonstrate compliance with security standards that require regular patching and vulnerability management.

Frequently Asked Questions About Grype

What is the difference between Grype and Syft?

Syft and Grype are complementary tools developed by Anchore.

• Syft is a CLI tool and library for generating a Software Bill of Materials (SBOM) from container images and filesystems. It tells you what is in your software (the ingredients).

• Grype is a vulnerability scanner. It takes the output from Syft (or scans the image directly) and tells you what is dangerous about those ingredients (the rot).

Is Grype free to use?

Yes, Grype is free and open-source software licensed under the Apache License 2.0.

Can Grype fix the vulnerabilities it finds?

No. Grype is a detection tool, not a remediation tool. It identifies the vulnerabilities and provides details such as the fixed version number (if available), but it does not automatically patch the software or rebuild the container image.

What output formats does Grype support?

Grype supports multiple output formats to fit different workflows, including JSON (for programmatic parsing), tabular text (for human readability), CycloneDX (for SBOM interoperability), and SARIF (Static Analysis Results Interchange Format) for integration with other security dashboards.

Does Grype require Docker to run?

No. Grype is a standalone binary. While it can interact with the Docker daemon to scan local images, it can also scan images directly from registries or scan local directories without requiring a container runtime.

Integrating ThreatNG and Grype for Supply Chain Security

Combining ThreatNG’s External Attack Surface Management (EASM) with Grype’s vulnerability scanning creates a robust defense against software supply chain attacks. ThreatNG identifies exposed assets and repositories from an external perspective, while Grype provides the deep internal analysis of those assets to identify specific software vulnerabilities (CVEs).

This collaboration ensures that organizations not only know what assets are exposed but also how vulnerable the underlying software within those assets is.

External Discovery: Locating Scannable Artifacts

Grype requires a file, directory, or container image to scan. ThreatNG’s External Discovery engine acts as the "pointer," identifying these artifacts across the public internet so they can be retrieved and audited.

• Discovering Exposed Registries: ThreatNG performs unauthenticated discovery to locate exposed cloud resources, including misconfigured Docker registries or Amazon ECR instances. Once identified, Grype can be directed to scan the images stored within these exposed registries to determine if they contain outdated or vulnerable packages.

• Identifying Shadow Code: ThreatNG maps the organization's footprint on code hosting platforms, often finding "Shadow Code"—repositories created by developers outside of standard governance. ThreatNG flags these repositories, allowing security teams to clone them and run Grype against the codebase to check for insecure dependencies defined in package.json or requirements.txt.

External Assessment: Validating Supply Chain Risk

ThreatNG’s External Assessment capabilities highlight susceptibilities in areas directly related to software composition, which Grype can then technically validate.

Mobile App Exposure

• ThreatNG Assessment: The solution scans mobile marketplaces to identify the organization's published mobile apps. It assesses them for hardcoded secrets and platform-specific risks.

• Grype Integration: Once ThreatNG identifies a mobile application (APK or IPA), the binary can be fed into Grype. Grype analyzes the compiled application's filesystem to list all third-party libraries (e.g., okhttp, retrofit, openssl). It then matches these libraries against vulnerability databases to report whether the mobile app ships with known critical vulnerabilities.

Supply Chain & Third-Party Exposure

• ThreatNG Assessment: ThreatNG maps the technologies and third-party SaaS providers connected to the organization’s infrastructure.

• Grype Integration: When ThreatNG identifies a reliance on a specific open-source component or vendor software, Grype serves as the validation tool. Security teams can scan the "Golden Images" provided by these third-party vendors with Grype to ensure they are clean before deploying them into the production environment mapped by ThreatNG.

Investigation Modules: Deep Dive Analysis

ThreatNG’s investigation modules provide the context required to prioritize Grype scans effectively.

Sensitive Code Exposure

• ThreatNG Context: This module monitors public repositories for leaks, including configuration files and source code.

• Grype Application: If ThreatNG alerts on a public repository containing a Dockerfile or a build manifest, Grype can be triggered to scan that specific manifest. This allows teams to detect if a developer is publicly building an image based on a vulnerable base OS (e.g., FROM node:10), effectively stopping a vulnerable container from being built and deployed.

Technology Stack Investigation

• ThreatNG Context: ThreatNG identifies the specific versions of web servers, frameworks, and languages running on external assets (e.g., "The target is running Python 2.7" or "Apache Tomcat 9.0.1").

• Grype Application: While ThreatNG identifies the running service version from the outside, Grype validates the internal packages supporting it. If ThreatNG detects an "Nginx" header, Grype scans the underlying container to reveal the vulnerability status of the Linux distro packages (such as glibc or openssl) that the Nginx server relies on.

Intelligence Repositories (DarCache)

ThreatNG’s DarCache enriches Grype’s vulnerability findings with actionable threat intelligence.

• Vulnerability Prioritization (KEV & EPSS): Grype might output a list of 500 CVEs for a single container image. ThreatNG’s integration with Vulnerability Intelligence filters this noise. It correlates the CVEs found by Grype with the Known Exploited Vulnerabilities (KEV) list and EPSS scores. This allows the security team to ignore "theoretical" risks and focus on the specific library vulnerability that hackers are actively exploiting in the wild.

• Ransomware Correlation: If Grype finds a vulnerability in a specific remote access tool or VPN client embedded in an image, ThreatNG’s Ransomware Groups repository can flag if that specific software version is a known entry point for active ransomware gangs, elevating the remediation priority to critical.

Reporting and Continuous Monitoring

The combination provides a closed-loop system for managing software risk.

• Continuous Monitoring Loop: ThreatNG monitors the external perimeter 24/7. If a new subdomain hosting a software artifact (like a testing portal or a file server) appears, it triggers an alert. This prompts an immediate Grype scan of any files or software hosted on that new asset to ensure no vulnerabilities are being introduced to the perimeter.

• Unified Reporting: A combined report offers a holistic view of risk. ThreatNG provides the "Asset Risk" (e.g., "This server is exposed to the internet"), while Grype provides the "Software Risk" (e.g., "This server is running a library with a CVSS 9.8 vulnerability"). Together, they provide the full context needed for executive decision-making.

Complementary Solutions

ThreatNG and Grype work seamlessly alongside other DevSecOps tools to automate security.

CI/CD Pipelines (Jenkins, GitHub Actions)

• Workflow: ThreatNG continuously updates the list of "authorized" repositories and registries. The CI/CD pipeline uses this list to enforce Grype scans.

• Benefit: This ensures that Grype is not just scanning known projects but is also dynamically applied to new projects discovered by ThreatNG, preventing "Shadow Code" from bypassing security checks.

Software Bill of Materials (SBOM) Management

• Workflow: ThreatNG identifies the external software assets. Grype scans them to generate an SBOM (via tools like Syft) and analyzes it for vulnerabilities.

• Benefit: This helps organizations build a complete inventory of their software supply chain, matching the "External View" (ThreatNG) with the "Internal Composition" (Grype/SBOM).

Frequently Asked Questions

Does ThreatNG scan container images directly? ThreatNG identifies where the images or code are located (external discovery). Grype is a specialized tool that performs a deep inspection of the image contents.

How does this help with Zero-Day vulnerabilities? When a new Zero-Day is announced (e.g., Log4j), ThreatNG identifies all assets running Java-based technologies. Grype is then used to scan the filesystems of those specific assets to confirm the presence of the vulnerable log4j-core library version.

Can this combination detect open-source risks? Yes. ThreatNG finds the open-source repositories your organization is using or exposing. Grype scans the dependencies defined in those repositories to identify vulnerable open-source packages.