Why does Grype randomly fail in my CI pipeline?

Usually because the vulnerability database download failed or timed out. I've hit this shit dozens of times and it's always infuriating. Quick fixes: ```bash # Cache the database directory export GRYPE_DB_CACHE_DIR=/path/to/persistent/cache # Or pre-download it grype db update # Set a longer timeout grype my-app:latest --timeout 5m ``` If you're on a shitty network or behind a corporate proxy, download the database once and distribute it offline.

How do I stop Grype from complaining about vulnerabilities I can't fix?

Create a `.grype.yaml` file and tell it to shut up about specific things: ```yaml ignore: # This CVE doesn't affect us - vulnerability: "CVE-2022-12345" # Ignore test dependencies - package: location: "**/test/**" # Ignore specific package in specific location - package: name: "vulnerable-lib" location: "/app/legacy/**" ``` Don't ignore everything though - that defeats the purpose.

Grype says my Alpine image has 50 critical vulnerabilities but I'm using the latest version. WTF?

Welcome to Alpine vulnerability hell. Three possibilities: 1. **Alpine SecDB lag**: Alpine's security database sometimes lags behind CVE publications 2. **Package name mismatches**: CVE databases use Debian package names, Alpine uses different names 3. **False positives in musl-based packages**: Some CVEs are specific to glibc but get flagged for musl Try scanning the same app on Ubuntu base image - if it's cleaner, it's an Alpine-specific issue.

This scan is taking forever on my Java app. Is it broken?

Probably not broken, just slow. Large JAR files (looking at you, Spring Boot fat JARs) can take 2-3 minutes to scan. Options: ```bash # Increase timeout grype my-java-app:latest --timeout 10m # Or use SBOM scanning (much faster) syft my-java-app:latest -o json > app.json grype sbom:app.json ``` If it's still hanging, there might be a corrupted JAR in your image.

Can I run this without Docker installed?

Yes, and it's actually better for CI environments: ```bash # Scan directly from registry grype registry:my-registry.com/app:v1.2.3 # Scan exported tar grype docker-archive:exported-image.tar ``` No Docker daemon required. Saves you from the Docker-in-Docker headache.

The database download is killing my CI build time. How do I cache it?

Set up persistent caching: ```bash # GitHub Actions - uses: actions/cache@v3 with: path: ~/.cache/grype key: grype-db-${{ github.run_id }} restore-keys: grype-db- # Or use a specific cache dir export GRYPE_DB_CACHE_DIR=/tmp/grype-cache ``` The database is ~150MB and changes daily. Cache it or suffer the download time every build.

Why is Grype showing different results than last week for the same image?

Because the vulnerability database updates constantly. A CVE that didn't exist last week exists now. This is expected behavior. If you need reproducible scans, pin the database version: ```bash # Use specific database version grype db import grype-db-2025-09-15.tar.gz grype my-app:latest --offline ```

How do I scan images in a private registry with weird auth?

Grype respects Docker config, but if that fails: ```bash # Set registry auth explicitly export GRYPE_REGISTRY_AUTH_USERNAME=myuser export GRYPE_REGISTRY_AUTH_PASSWORD=mypass # Or use service account in Kubernetes grype registry:private-registry.com/app:latest ``` If you're still getting auth errors, the registry probably has non-standard auth. Check their docs.

Can I ignore all the test dependencies that show vulnerabilities?

Yes, and you should: ```yaml # .grype.yaml ignore: - package: location: "**/node_modules/**/test/**" - package: location: "**/test/**" - package: location: "**/*test*/**" ``` Test deps with vulnerabilities don't affect production, so ignore them.

Grype found a critical vulnerability but there's no fix available. Now what?

1. **Check if it actually affects you**: Read the CVE details. Many vulns require specific conditions to exploit. 2. **Look for alternative packages**: Switch to a maintained fork or different library. 3. **Ignore it temporarily**: Add it to your ignore list with a comment explaining why: ```yaml ignore: - vulnerability: "CVE-2023-12345" # No fix available, not exploitable in our use case # Review in Q1 2026 ``` 4. **Build from source**: If it's an OS package, compile a patched version yourself. Don't just ignore it forever though.

Why does my scan suddenly report 200 new vulnerabilities when nothing changed?

Because some asshole security researcher dropped a new CVE overnight that affects a library you've been using for 2 years. This is why I fucking hate dependency management. The vulnerability was always there - we just didn't know about it yet. Welcome to security. The database updates daily with new CVE discoveries, so yesterday's "clean" image becomes today's security nightmare. Worst case I've seen: some OpenSSL CVE dropped on a Friday and suddenly all our services were flagged as critically vulnerable. Spent the weekend rebuilding everything just to find out it didn't even apply to our setup.

Grype worked fine yesterday, now it says "cannot connect to database". WTF happened?

Your corporate firewall probably started blocking the database download URLs, or Anchore changed their CDN and your proxy whitelist is outdated. I've seen this kill builds for entire teams. Try: ```bash # Force a fresh download rm -rf ~/.cache/grype && grype db update # Or check network connectivity curl -I https://github.com/anchore/grype ``` If that fails, you're probably behind a corporate proxy that needs configuration or your IT department broke something.

Does this work in air-gapped environments?

Yes, better than most tools. Download the database on a connected machine: ```bash grype db update grype db export grype-db.tar.gz ``` Copy to air-gapped system: ```bash grype db import grype-db.tar.gz grype my-app:latest --offline ``` Remember to update the database periodically or you'll miss new vulnerabilities.

Why is Grype flagging vulnerabilities in packages I'm not even using?

Because Docker layers include the entire base image, including packages you never touch. Pull `ubuntu:20.04` and you get 200+ packages whether you use them or not. This is especially painful with full OS images. That's why Alpine exists - smaller attack surface, fewer packages to worry about. But then you get different problems with musl vs glibc compatibility. The real solution is distroless images, but good luck convincing your team to rebuild everything from scratch.

I'm getting "exit status 1" but Grype isn't telling me why

Set `GRYPE_LOG_LEVEL=debug` and run it again. Usually it's a permission issue, corrupted cache, or the image doesn't exist where you think it does. ```bash export GRYPE_LOG_LEVEL=debug grype my-app:latest ``` 90% of the time it's because you're trying to scan `my-app:latest` but the image is actually tagged as `my-app:v1.2.3` and latest doesn't exist.

Grype works fine on Linux but fails on Windows with weird errors

Windows file paths are absolute cancer and Grype doesn't handle them gracefully. Common issues: - Cache directory path too long (Windows 260 char limit from 1995) - Spaces in paths break the binary execution - Windows Defender quarantines the binary randomly - WSL2 vs native Windows causes Docker socket confusion - Corporate antivirus false positives every fucking week Use WSL2 if possible, or explicitly set all paths with forward slashes and no spaces. Better yet, use Linux.

Currently viewing the AI version

Switch to human version

Grype Vulnerability Scanner - AI-Optimized Technical Reference

Core Functionality

Purpose: Command-line tool for scanning Docker images, OS packages, and language dependencies for known security vulnerabilities

Database: Downloads ~150MB vulnerability database updated daily from multiple sources:

NIST NVD (National Vulnerability Database)
Alpine SecDB
Ubuntu Security Notices
Other CVE feeds

Scan Process: Analyzes image layers, compares packages against vulnerability database, reports CVEs with severity ratings

Technical Specifications

Performance Characteristics

Image Type	Scan Time	Notes
Alpine applications	2-5 seconds	Fastest due to minimal packages
Ubuntu-based images	8-15 seconds	Depends on installed packages
Java fat JARs	30 seconds - 10+ minutes	Spring Boot >200MB causes timeouts
Full OS images	15+ seconds	Network dependency affects timing
Memory usage	<100MB	Does not overload CI runners

Language Support Matrix

Language	Package Managers	Reliability	Known Issues
Python	pip, Poetry, requirements.txt	High	Confusion with local packages missing metadata
JavaScript	npm, Yarn	High	False positives on dev dependencies
Java	Maven, Gradle, JAR analysis	Medium	Slow on fat JARs, vendor directory misses
Go	go.mod, binary analysis	High	Misses improperly documented vendor directories
Others	Rust, PHP Composer, Ruby Gems, .NET NuGet	Limited testing	Documented support, reliability varies

Input/Output Formats

Input Options:

grype alpine:latest - Docker images
grype dir:./project - Local directories
grype sbom:./app.json - SBOM files (2-second scans vs 10-second image scans)
grype docker-archive:image.tar - Tar archives
grype registry:my-registry.com/app:v1.2.3 - Registry without pulling

Output Formats:

Table (default) - Human readable
JSON - Automation/filtering with jq
SARIF - GitHub integration
Template - Custom reporting

Critical Configuration Requirements

Essential Environment Variables

# Cache directory for database (prevents re-downloads)
GRYPE_DB_CACHE_DIR=/path/to/persistent/cache

# Timeout for large applications
--timeout 10m

# Parallel processing control
GRYPE_PARALLELISM=2  # For resource-constrained CI

Ignore Configuration (.grype.yaml)

ignore:
  # Specific CVE exclusions
  - vulnerability: "CVE-2021-44228"

  # Location-based filtering
  - package:
      location: "**/test/**"  # Test dependencies

  # Severity filtering for specific paths
  - vulnerability:
      severity: "Low"
    package:
      location: "**/node_modules/**"

Critical Failure Modes and Solutions

Database Download Failures

Symptoms: "database metadata not found", build timeouts, random CI failures
Root Causes:

Corporate proxy blocking CDN endpoints
Rate limiting on database downloads
Network timeouts in CI environments

Solutions:

Pre-cache database: grype db update
Persistent cache directory configuration
Offline mode for air-gapped environments
Cron job for database pre-pulling

Platform-Specific Issues

Windows:

Path length limits (260 characters)
Cache directory permissions
Windows Defender quarantine
Explicit path configuration required: GRYPE_DB_CACHE_DIR=C:\temp\grype

Alpine Linux:

Package name mismatches with CVE databases
False positives due to Debian naming conventions
Alpine security database lag behind CVE publications
More aggressive package matching in newer versions

Java Applications:

Spring Boot JARs >200MB cause hangs
JAR parsing timeouts on corrupted files
Vendor directory scanning misses
Use SBOM scanning for faster results

CI/CD Integration Gotchas

GitHub Actions: Official action works reliably
Jenkins: Plugin unreliable, use direct binary installation
GitLab CI: Default template uses outdated Grype version
Corporate Environments: Proxy configuration essential for database access

Performance Optimization Strategies

SBOM-Based Scanning (Recommended)

# Build stage - generate once
syft my-app:latest -o json > app-sbom.json

# Security stage - scan multiple times
grype sbom:app-sbom.json  # 2 seconds vs 10+ seconds

Benefits:

5x faster scan times
Inventory tracking for compliance
Reduced network dependency

Database Caching Strategy

# GitHub Actions caching
- uses: actions/cache@v3
  with:
    path: ~/.cache/grype
    key: grype-db-${{ github.run_id }}
    restore-keys: grype-db-

Registry Scanning (No Docker Required)

# Scan without pulling images
grype registry:my-registry.com/app:v1.2.3

Security Policy Integration

Severity-Based Build Controls

# Fail on critical vulnerabilities only
grype my-app:latest --fail-on critical

# Fail on high or critical (expect build failures)
grype my-app:latest --fail-on high

Air-Gapped Environment Setup

# Connected machine
grype db update
grype db export grype-db.tar.gz

# Air-gapped system
grype db import grype-db.tar.gz
grype my-app:latest --offline

Comparative Analysis vs Alternatives

Tool	Setup Complexity	Speed	Accuracy	False Positives	Offline Support
Grype	Low (single binary)	Medium (5-15s)	High	Low	Reliable
Trivy	Low (single binary)	High (3-10s)	Medium	High	Unreliable
Clair	High (PostgreSQL required)	Low (10-30s)	Medium	Medium	Self-hosted
Docker Scout	Low (built-in)	Medium (5-12s)	Variable	Variable	None
Snyk	Medium (API setup)	Low (8-20s + API)	Highest	Lowest	Limited

Troubleshooting Decision Tree

Scan Timeout:

Check JAR size >200MB → Use SBOM scanning
Check network connectivity → Configure proxy/cache
Increase timeout to 10+ minutes

Database Errors:

Clear cache directory: rm -rf ~/.cache/grype
Check network/proxy configuration
Use offline mode if persistent

False Positives:

Alpine images → Check package name mapping
Distroless images → Update Grype version
Test dependencies → Configure ignore patterns

CI Failures:

Jenkins → Use binary installation, not plugin
GitLab → Override default container scanning template
Corporate → Configure proxy whitelist for CDN endpoints

Resource Investment Requirements

Initial Setup Time: 15-30 minutes for basic configuration
Ongoing Maintenance:

Database updates: Automatic daily
Ignore list maintenance: 1-2 hours monthly for active projects
CI integration debugging: 2-4 hours initially

Infrastructure Requirements:

Storage: 150MB for database cache
Network: Daily database downloads (~150MB)
CPU: Minimal impact, uses multiple cores efficiently
Memory: <100MB per scan

Expertise Requirements:

Basic: CLI usage and YAML configuration
Intermediate: CI/CD integration and ignore patterns
Advanced: Air-gapped deployments and custom filtering

This tool provides reliable vulnerability detection with minimal operational overhead when properly configured. Primary value is in early detection before production deployment rather than runtime protection.

Useful Links for Further Investigation

Useful Links and Resources

Link	Description
Grype GitHub Repository	Main repo with releases, docs, and issue tracking. Check for latest release (they update pretty regularly). Stars: 10.7k+
Quick Install Script	One-liner install to /usr/local/bin
Anchore Open Source Tools	Official landing page for Grype and Syft with getting started guides.
Main README	Everything you need to know about using Grype. Read this first.
Chainguard Tutorial	Practical tutorial with real examples. Good for beginners.
GitHub Actions	Official action for GitHub workflows. Most popular integration.
Jenkins Plugin	For Jenkins users. Works but requires more setup than GitHub Actions.
Anchore Azure DevOps Task	Azure DevOps pipeline task for container scanning.
GitHub Issues	Bug reports and feature requests. Check here first for known issues.
Community Discourse	Forums for questions and discussion. Active community.
Community Meetings	Weekly live meetings. Open to everyone.
Syft	SBOM generator that pairs with Grype. Use together for faster scans.
Anchore Enterprise	Commercial version with enterprise features. $$$
Container Security Guide	Best practices for container security workflows.
SBOM + Grype Guide	How to use Syft and Grype together effectively.

Related Tools & Recommendations

tool

Similar content

Docker Scout - Find Vulnerabilities Before They Kill Your Production

Docker's built-in security scanner that actually works with stuff you already use

Docker Scout

/tool/docker-scout/overview

100%

troubleshoot

Similar content

Trivy Scanning Failures - Common Problems and Solutions

Fix timeout errors, memory crashes, and database download failures that break your security scans

Trivy

/troubleshoot/trivy-scanning-failures-fix/common-scanning-failures

93%

tool

Similar content

Clair - Container Vulnerability Scanner That Actually Works

Scan your Docker images for known CVEs before they bite you in production. Built by CoreOS engineers who got tired of security teams breathing down their necks.

Grype Vulnerability Scanner - AI-Optimized Technical Reference

Core Functionality

Technical Specifications

Performance Characteristics

Language Support Matrix

Input/Output Formats

Critical Configuration Requirements

Essential Environment Variables

Ignore Configuration (.grype.yaml)

Critical Failure Modes and Solutions

Database Download Failures

Platform-Specific Issues

CI/CD Integration Gotchas

Performance Optimization Strategies

SBOM-Based Scanning (Recommended)

Database Caching Strategy

Registry Scanning (No Docker Required)

Security Policy Integration

Severity-Based Build Controls

Air-Gapped Environment Setup

Comparative Analysis vs Alternatives

Troubleshooting Decision Tree

Resource Investment Requirements

Useful Links for Further Investigation

Useful Links and Resources

Related Tools & Recommendations

Docker Scout - Find Vulnerabilities Before They Kill Your Production

Trivy Scanning Failures - Common Problems and Solutions

Clair - Container Vulnerability Scanner That Actually Works

Which Container Scanner Doesn't Suck?

Stop Fighting Your CI/CD Tools - Make Them Work Together

Deploy Django with Docker Compose - Complete Production Guide

Container Security Tools: Which Ones Don't Suck?

GitHub Actions is Fucking Slow: Alternatives That Actually Work

GitHub Actions Security Hardening - Prevent Supply Chain Attacks

GitHub Actions Cost Optimization - When Your CI Bill Is Higher Than Your Rent

Docker Daemon Won't Start on Windows 11? Here's the Fix

Docker 프로덕션 배포할 때 털리지 않는 법

When Admission Controllers Shit the Bed and Block Your Deployments

Anchore Engine Migration Guide - Moving to Syft & Grype

Clair Production Monitoring - Keep Your Scanner Running (Or Watch Everything Break)

Twistlock vs Aqua Security vs Snyk Container - Which One Won't Bankrupt You?

Snyk Container - Because Finding CVEs After Deployment Sucks

Fix Snyk Authentication Nightmares That Kill Your Deployments

Jenkins + Docker + Kubernetes: How to Deploy Without Breaking Production (Usually)

GitHub Actions + Jenkins Security Integration