← SCA Tools Feed
Grype
コンテナイメージとファイルシステム向け脆弱性スキャナー(Syftと連携)。
基本情報
機能
機能
対応
コンテナスキャン
✅
言語/ライブラリスキャン
✅
SBOM生成
✅
ポリシー評価
❌
IaCスキャン
❌
シークレット検出
❌
ライセンススキャン
❌
ビルドツールプラグイン
❌
APIサーバー
❌
SSH無エージェントスキャン
❌
ダッシュボード
❌
集中管理
❌
機能一覧の情報源: 公式ドキュメント
リリース履歴
情報源: https://github.com/anchore/grype/releases
v0.115.0 — 2026-06-26 security
v0.115.0
Added Features
emit golang.org/x/net vulns from govlundb [PR #3534 @willmurphyscode]
Merge Go vuln matches with GHSA matches [Issue #3515 ]
Bug Fixes
only emit records for stdlib [PR #3527 @willmurphyscode]
mark hummingbird distro as rolling [PR #3521 @willmurphyscode]
disable go stdlib CPE matching by default [PR #3517 @willmurphyscode]
merge in custom ranges when applicable [PR #3514 @willmurphyscode]
exclude linux-kbuild deb indirect matches by default [PR #3506 @westonsteimel]
avoid panic on invalid RHEL version IDs [PR #3490 @jspilman]
Support reading CycloneDX 1.7 SBOMs [Issue #3373 ]
Grype cannot read mariadb version correctly [Issue #3452 ]
grype hangs when downloading certain images using registry client [Issue #3492 ]
Can we get a fix for these Critical findings reported for grype [Issue #3484 ]
Additional Changes
Security: bump golang.org/x/crypto to v0.52.0 to resolve multiple CVEs [Issue #3493 ]
Security: bump golang.org/x/net to v0.55.0 to resolve CVEs [Issue #3494 ]
Dependencies
35 dependency changes (31 updated, 3 added, 1 removed). 5 vulnerabilities remediated.
🟢 Remediated (5)
Updated (31 packages)
- github.com/ProtonMail/go-crypto `v1.4.0` → `v1.4.1`
- github.com/anchore/bubbly `v0.2.0` → `v0.2.1`
- github.com/anchore/clio `v0.1.0` → `v0.1.1`
- github.com/anchore/fangs `v0.1.0` → `v0.1.1`
- github.com/anchore/go-collections `v0.1.0` → `v0.1.1`
- github.com/anchore/go-homedir `v0.1.0` → `v0.1.1`
- github.com/anchore/go-logger `v0.1.0` → `v0.1.1`
- github.com/anchore/go-lzo `v0.1.0` → `v0.1.1`
- github.com/anchore/go-macholibre `v0.1.0` → `v0.1.1`
- github.com/anchore/go-make `v0.5.0` → `v0.8.0`
- github.com/anchore/go-struct-converter `v0.1.0` → `v0.2.0-rc2`
- github.com/anchore/go-sync `v0.1.0` → `v0.1.1`
- github.com/anchore/stereoscope `v0.2.1` → `v0.2.2`
- github.com/anchore/syft `v1.45.1` → `v1.46.0`
- github.com/charmbracelet/colorprofile `v0.4.1` → `v0.4.3`
- github.com/clipperhouse/displaywidth `v0.10.0` → `v0.11.0`
- github.com/clipperhouse/uax29/v2 `v2.6.0` → `v2.7.0`
- github.com/containerd/containerd/v2 `v2.3.1` → `v2.3.2` **(🟢 remediated [GHSA-33vj-92qq-66hc](https://github.com/advisories/GHSA-33vj-92qq-66hc), [GHSA-cvxm-645q-p574](https://github.com/advisories/GHSA-cvxm-645q-p574), [GHSA-jpcc-p29g-p8mq](https://github.com/advisories/GHSA-jpcc-p29g-p8mq), [GHSA-rgh6-rfwx-v388](https://github.com/advisories/GHSA-rgh6-rfwx-v388), [GHSA-xhf5-7wjv-pqxp](https://github.com/advisories/GHSA-xhf5-7wjv-pqxp))**
- github.com/docker/cli `v29.4.3+incompatible` → `v29.5.3+incompatible`
- github.com/google/go-containerregistry `v0.21.6` → `v0.21.7`
- github.com/mattn/go-runewidth `v0.0.19` → `v0.0.21`
- github.com/spdx/tools-golang `v0.5.7` → `v0.6.0-rc4`
- github.com/sylabs/sif/v2 `v2.24.0` → `v2.24.1`
- golang.org/x/crypto `v0.52.0` → `v0.53.0`
- golang.org/x/mod `v0.36.0` → `v0.37.0`
- golang.org/x/net `v0.55.0` → `v0.56.0`
- golang.org/x/sync `v0.20.0` → `v0.21.0`
- golang.org/x/sys `v0.45.0` → `v0.46.0`
- golang.org/x/term `v0.43.0` → `v0.44.0`
- golang.org/x/text `v0.37.0` → `v0.38.0`
- golang.org/x/tools `v0.45.0` → `v0.46.0`
Added (3 packages)
- github.com/piprate/json-gold `v0.7.0`
- github.com/pquerna/cachecontrol `v0.0.0-1555304`
- github.com/tailscale/hujson `v0.0.0-ecc657c`
Removed (1 package)
- github.com/google/osv-scanner `v1.9.2`
(Full Changelog)
v0.114.0 — 2026-06-05 feature
v0.114.0
Added Features
Add ability to scan zarf packages [#3329 #3366 @brandtkeller]
Additional Changes
respect withdrawn status of Go Vuln DB OSV records [#3495 @willmurphyscode]
Govulndb OSV transformer [#3485 @willmurphyscode]
(Full Changelog)
v0.113.0 — 2026-06-03 bugfix
v0.113.0
Added Features
Include Ubuntu 26.04 "resolute" in distro codenames [#3397 @anchore-oss-update-bot]
source RPM filtering on Hummingbird [#3410 @willmurphyscode]
Bug Fixes
use relatedVulnerabilities description as fallback in SARIF output [#3271 @axidex]
improve platform CPE determination logic [#3470 @westonsteimel]
normalize uppercase V in semantic version comparison [#3461 @immanuwell]
purl handling in cgr maven libs [#3420 @willmurphyscode]
Treat uppercase V prefixes the same as lowercase v prefixes in fuzzy version comparison [#3037 #3089 @wasup-yash]
Add Runtime Warnings When TLS Verification Is Disabled or HTTP Is Enabled [#3101 #3396 @Dashtid]
Add support for the aarch64 architecture when parsing the version of Ruby gems in lockfiles [#3442 #3475 @msnandhis]
zsh completion fails [#2933 #3433 @brandtkeller]
(Full Changelog)
v0.112.0 — 2026-05-01 feature
v0.112.0
Added Features
Expand ignore rules to owned sub packages of distro packages [#3368 #3326 @kzantow]
Additional Changes
update anchore dependencies [#3391 @anchore-oss-update-bot]
(Full Changelog)
v0.111.1 — 2026-04-22 bugfix
v0.111.1
Bug Fixes
apply overlap by ownership removal to dynamically created relationships [#3363 @kzantow]
compare mismatched package / db versions [#3372 @kzantow]
Grype doesn't recognize debian component when "group" : "debian" is specified [#2967 ]
HelpURI missing information in SARIF output [#2874 #3351 @will-bates11]
(Full Changelog)
v0.111.0 — 2026-04-09 security
v0.111.0
Added Features
db diff for v6 [#3277 @kzantow]
add ProvideFromReader for in-memory SBOM processing [#3344 @jspilman]
match on hummingbird [#3331 @willmurphyscode]
CSAF vex transformer [#3349 @willmurphyscode]
curated mapping of known CPE to grype package specifiers [#3332 @westonsteimel]
templates/html.tmpl - Add Grype version and vulnerability DB version [#2877 #3345 @kenvez]
Bug Fixes
normalise version constraint types in v6 db [#3328 @westonsteimel]
set alpm ecosystem for Arch Linux packages [#3324 @westonsteimel]
spec-compliant CPE string formatting for db search commands [#3308 @westonsteimel]
Update APK NAK handling to be based on ownership-by-file-overlap relationship [#3267 #3286 @kzantow]
Wrong version output [#3306 ]
Additional Changes
update anchore dependencies [#3321 @anchore-oss-update-bot]
update tool versions [#3319 @anchore-oss-update-bot]
(Full Changelog)
v0.110.0 — 2026-03-19 bugfix
v0.110.0
Added Features
suppress GHSA matches on language packages in fixed APKs [#3282 @willmurphyscode]
Bug Fixes
use Syft for decoding CPEs [#3058 @chovanecadam]
Additional Changes
bump github.com/buger/jsonparser to v1.1.2 [#3297 @willmurphyscode]
update quality gate labels [#3293 @westonsteimel]
(Full Changelog)
v0.109.1 — 2026-03-09 security
v0.109.1
Bug Fixes
CVE-2025-12183 is not detected even if vulnerable jar is present [#3205 ]
Additional Changes
migrate fixtures to testdata [#3263 @wagoodman]
(Full Changelog)
v0.109.0 — 2026-02-19 bugfix
v0.109.0
Added Features
Strip v prefix from apk versions [#3239 @wagoodman]
Bug Fixes
missing EPSS/KEV should not be fatal error [#3224 @willmurphyscode]
Additional Changes
update build flag to use provenance=false [#3243 @spiffcs]
update to check-latest golang for ci [#3238 @spiffcs]
enable fedora OS transformer [#3232 @willmurphyscode]
Port grype-db lib to grype [#3149 @wagoodman]
(Full Changelog)
v0.108.0 — 2026-02-10 bugfix
v0.108.0
Added Features
enable disabling EOL warnings [#3204 @willmurphyscode]
Bug Fixes
fix fallback on major only distro [#3213 @willmurphyscode]
VEX Documents still not working with syft sbom [#3167 ]
VEX: minimal OpenVEX Example not working [#3212 ]
Additional Changes
support more accurate scanning for postmarketos [#3182 @westonsteimel]
charmbracelet/bubbletea erases grype ui status line [#3214 @spiffcs]
bump labels and add several test images [#3215 @westonsteimel]
improve VEX product and subcomponent matching [#3168 @dariozachow]
(Full Changelog)
v0.107.1 — 2026-02-03 other
v0.107.1
Additional Changes
support context cancellation while finding vuln matches [#3200 @luhring]
(Full Changelog)
v0.107.0 — 2026-01-29 bugfix
v0.107.0
Added Features
Add secureos distro [#3086 @divolgin]
add hex matcher for Erlang/Elixir ecosystem [#3194 @willmurphyscode]
Bug Fixes
disable version fallback in EOL query [#3195 @willmurphyscode]
VEX documents with docker.io registry reference not matching, require index.docker.io instead [#2818 #3172 @jainlakshya]
(Full Changelog)
v0.106.0 — 2026-01-27 bugfix
v0.106.0
Added Features
warn about packages from EOL distros [#3171 @willmurphyscode]
make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch [#2964 #2976 @willmurphyscode]
Bug Fixes
RHEL EUS: --only-fixed should filter out matches are not fixed in the current EUS version [#2847 #3181 @willmurphyscode]
Additional Changes
support scientific linux [#3175 @westonsteimel]
(Full Changelog)
v0.105.0 — 2026-01-15 feature
v0.105.0
Added Features
Add archlinux matcher to grype [#3154 @willmurphyscode]
(Full Changelog)
v0.104.4 — 2026-01-08 bugfix
v0.104.4
Bug Fixes
preserve local version segment in constraints for PEP 440 comparison [#3146 @willmurphyscode]
Additional Changes
correct help text for return code for fail-on severity option [#3138 @u-ways]
(Full Changelog)
v0.104.3 — 2025-12-22 bugfix
v0.104.3
Bug Fixes
Use specifier matching rules when comparing python versions [#3121 @wagoodman]
(Full Changelog)
v0.104.2 — 2025-12-09 bugfix
v0.104.2
Bug Fixes
Since version 0.104.0 shaded jars are not reported [#3098 ]
db search fails with misleading message (out of memory) when no db is present [#3049 #3077 @JvD-Ericsson]
Additional Changes
replace os.Chdir with t.Chdir in test code [#3067 @joonas]
(Full Changelog)
v0.104.1 — 2025-11-24 bugfix
v0.104.1
Bug Fixes
Redact during file output [#3068 @kzantow]
Unaffected match table does not filter results if CPE matching is enabled [#3056 #3066 @kzantow]
Additional Changes
Migrate grype to use mholt/archives instead of anchore fork [#3036 @joonas]
(Full Changelog)
v0.104.0 — 2025-11-17 security
v0.104.0
Added Features
Add --from flag [#3035 @wagoodman]
Let a suppression expire to prevent that one will forget to resolve a vulnerability [#3031 ]
Bug Fixes
Unnormalized fix version triggers false-positive in mssql-jdbc [#3042 #3034 @jamestexas]
Additional Changes
junit template use CDATA block to prevent XML parse errors [#3019 @nvtkaszpir]
Keep nested loggers labeled [#3040 @wagoodman]
(Full Changelog)
v0.103.0 — 2025-11-03 feature
v0.103.0
Added Features
Allow hyphen in version string [#3021 @willmurphyscode]
Respect rpmmod PURL qualifier [#3020 @willmurphyscode]
(Full Changelog)
v0.102.0 — 2025-10-23 bugfix
v0.102.0
Added Features
Use Alma Linux specific advisories for Alma Linux scans [#2745 #2939 @willmurphyscode]
Bug Fixes
Bitnami packages with CPEs are not matched against CPE-based vulnerabilities [#2997 ]
Additional Changes
add markdown template [#2987 @sebdanielsson]
(Full Changelog)
v0.101.1 — 2025-10-16 bugfix
v0.101.1
Bug Fixes
Panic error scanning images with v0.101.0 on some java dependencies [#3002 ]
(Full Changelog)
v0.101.0 — 2025-10-15 bugfix
v0.101.0
Added Features
Add cyclonedx to RpmMetadata [#2935 @sfc-gh-rmaj]
grype db search can filter by fixed state [#2968 @willmurphyscode]
Support using VEX documents with directory scans and SBOMs [#2471 #2811 @alegrey91]
Bug Fixes
Issue installing Grype using documented curl command [#2985 ]
Advisory ID blank in JSON output [#2965 ]
Additional Changes
update flags with v3 to not use default config [#3000 @spiffcs]
fix Cosign documentation URL in installer [#2995 @lime]
set advisory id again [#2979 @willmurphyscode]
add db schema validation [#2962 @willmurphyscode]
(Full Changelog)
v0.100.0 — 2025-09-15 feature
v0.100.0
Added Features
Add unaffected package and CPE stores [#2888 @wagoodman]
use unaffected match table to remove appropriate vulns [#2886 @CrosleyZack]
(Full Changelog)
v0.99.1 — 2025-08-30 bugfix
v0.99.1
Bug Fixes
Present fix available version in grype JSON output [#2905 @wagoodman]
detect patch numbers in fuzzy version comparison [#2844 @willmurphyscode]
Make timestamp in output configurable (so that results are more reproducible) [#522 #2724 @gabetrau]
Grype .98 misidentifies the container package version [#2884 ]
(Full Changelog)
v0.99.0 — 2025-08-27 security
v0.99.0
Added Features
Add fix availability information to DB schema [#2862 @wagoodman]
Add support vulnerability matching for raspbian [#2893 @westonsteimel]
Add Vex CSAF support [#1826 @juan131]
Bug Fixes
include channel in grype db search output [#2873 @willmurphyscode]
add UnmarshalJSON to fix availability blob [#2889 @willmurphyscode]
Grype misdetect Grafana version [#2783 ]
Breaking Changes
CSAF support [#1826 @juan131]
(Full Changelog)
v0.98.0 — 2025-08-13 feature
v0.98.0
Added Features
move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [#2861 @westonsteimel]
(Full Changelog)
v0.97.2 — 2025-08-08 bugfix
v0.97.2
Grype v0.97.2
Added Features
new syft version adds binary classifier for hashicorp vault [#4121 @willmurphyscode]
Bug Fixes
fix: update syft's nondeterministic Java archive purl and improve groupID for better matching [#3521 #4118 @kzantow]
(Full Changelog)
v0.97.1 — 2025-08-01 bugfix
v0.97.1
Bug Fixes
Multiple EUS advisories where only some are fixed result in unexpected vulnerabilities [#2840 #2841 @kzantow]
(Full Changelog)
v0.97.0 — 2025-07-30 bugfix
v0.97.0
Added Features
Bug Fixes
Error scanning snap "unsupported source: source.SnapMetadata" [#2819 #2821 @kzantow]
Additional Changes
add channel to os / distro [#2782 @wagoodman]
(Full Changelog)
v0.96.1 — 2025-07-21 feature
v0.96.1
Syft Improvments
Update to latest version of syft v1.29.0
Performance Improvements
Create ignore regex objects conditionally[#2805 @wagoodman ]
(Full Changelog)
v0.96.0 — 2025-07-15 bugfix
v0.96.0
Added Features
Added the EPSS score and KEV indications as CycloneDX vulnerabilities.ratings entries [#2695 #2765 @AlinaPodoba]
Bug Fixes
The go run and go install broken due to useless redirect directive in go.mod [#2777 #2780 @stefanb]
EPSS implementation using percentile instead of percent probability [#2778 #2785 @wagoodman]
Latest version of grype with V6 schema lists incorrect URL for v6 database [#2513 ]
Additional Changes
Add more detail around cataloging and DB load log statements [#2779 @wagoodman]
add version set and combined constraint [#2763 @wagoodman]
add v6 OS store [#2766 @wagoodman]
(Full Changelog)
v0.95.0 — 2025-07-02 security
v0.95.0
Added Features
Add string severity to db search json results [#2730 @wagoodman]
Add package specifier overrides for kb, dpkg, and apkg [#2742 @westonsteimel]
Bug Fixes
show related NVD records for non-NVD matches [#2755 @kzantow]
assume that a vulnerability with no ranges is always vulnerable [#2759 @wagoodman]
DB should hydrate for when the client has new features [#2758 @wagoodman]
show relationship back to NVD for all CVE ids [#2756 @westonsteimel]
properly escape CPE segments [#2731 @kzantow]
msrc matcher should search by package ecosystem, not by distro [#2748 @westonsteimel]
Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#2768 #2772 @willmurphyscode]
malformed CPE in grype db search output [#2767 #2769 @westonsteimel]
vex documents from the --vex flag do get processed or applied to the output correctly [#1836 #2741 @willmurphyscode]
Additional Changes
replace deprecated GoReleaser configurations [#2729 @emmanuel-ferdman]
specify types for all match details [#2762 @wagoodman]
Refactor the version package [#2735 @wagoodman]
(Full Changelog)
2026-07-10 22:23 UTC 時点の情報