Lmst

Want to influence the direction of Grype? 🚀 Tell us how you use it and what improvements you'd like to see! Your feedback matters! Survey here: https://forms.gle/hvgpNeZadLfFhCf69
#Grype #Security #OpenSource

New release: Grype v0.91.1 is out! 🐛 Packed with important bug fixes for improved vulnerability scanning accuracy and stability.
Check the changelog and upgrade!
#grype #security #devsecops
https://github.com/anchore/grype/releases/tag/v0.91.1

Deep dive into supply chain security with the latest Open Source Security podcast! Josh Bressers and Alan Pope unpack the power of Syft and Grype, and other tools focusing on Software Bills of Materials (SBOMs) and vulnerability scanning. They explore not just the what, but also the why behind some key open source projects in this space. Learn how these tools are evolving to give you deeper insights into your s... #OSS #Security #SBOM #VulnerabilityManagement #Syft #Grype https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/

📻 I enjoyed the #OpenSourceSecurityPodcast this week with

👤 https://infosec.exchange/@joshbressers and
👤 @popey
of
🏢 @anchore

I used #Syft/ #Grype on a few OCI containers recently and was horrified to discover one had some nasty issues lurking within.

Great tools which I intend to use any time I handle OCI containers. Looking forward to trying Grant soon.

Thank you

🔗 https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/
🔗 https://anchore.com/opensource/

#OpenSourceSecurity
#CyberSecurity
#SBOM
#Vulnerabilities

Want to influence the direction of Grype? 🚀 Tell us how you use it and what improvements you'd like to see! Your feedback matters! Survey here: https://forms.gle/hvgpNeZadLfFhCf69
#Grype #Security #OpenSource

Grype's in good company! Thrilled to see us listed among the top pen testing tools by TechTarget. Check it out! https://www.techtarget.com/searchsecurity/tip/11-open-source-automated-penetration-testing-tools
#opensource #security #grype

Want to influence the direction of Grype? 🚀 Tell us how you use it and what improvements you'd like to see! Your feedback matters! Survey here: https://forms.gle/hvgpNeZadLfFhCf69
#Grype #Security #OpenSource

Huh...so I created a Singularity container with the security scanning tool Grype installed, and baked in @popey 's awesome project `grype2html` to generate HTML reports if I pass `--popey` as a flag when running the container...and I just scanned said container...with itself.

Getting some "Spiderman pointing" vibes as well as a layer of "on the shoulders of giants" vibes with my research tonight...not even sure what path I was on originally that got me here! 🤣

#singularity #grype

Two identical Spidermans pointing at one another.

One more saved-my-bacon tip: If you're prone to having a ton of images cached locally, you may need to scan the latest build of that tag. It can always pull the latest image, similar to setting ImagePullPolicy: Always in Kubernetes.

default-image-pull-source: registry

{: file='~/.grype.yaml' }

#grype #containers

A nifty tidbit if you travel a lot. Grype has a config file. Before you leave the house, run grype db update to pull down the latest vulnerability data, then disable the auto-update features in the config file:

# sometimes the hotel wifi is awful and yesterday's data is good enough
check-for-app-update: false
db:
  auto-update: false

{: file='~/.grype.yaml' }

I revert it by having the exact opposite values commented out to swap back and forth easily, then doing a quick edit. Docs here - https://github.com/anchore/grype#configuration

#grype #containers

Notice a smoother Grype database experience lately? We switched to Cloudflare R2 to improve reliability after spotting some traffic hiccups. Sometimes, the fix is in the file size—and we found ours. 🧑‍💻 #DevOps #CDN #Grype

https://anchore.com/blog/we-migrated-from-s3-to-r2-thankfully-nobody-noticed/

Ever wanted #grype to just output a summary? Here's a #shell function to do just that.

Output looks like this:

ᐅ grype-summary nginx:1
   2 "Critical"
  14 "High"
   4 "Low"
  34 "Medium"
  72 "Negligible"
  20 "Unknown"

Tested in #zsh and #bash ... just add 👇 to your .bashrc or .zshrc file

# Grype summation
function grype-summary () {
  if [ "${1}" = "-h" ]; then
    echo "Usage: grype-summary [path]"
    echo "Summarize vulnerabilities found by Grype."
    return
  fi
  if [ "${1}" = "" ]; then
    echo "Path or image name required."
    return
  fi
  grype ${1} -o json --file grype.json -q
  cat grype.json | jq  '.matches[].vulnerability.severity' | sort | uniq -c
  rm grype.json
}

More little #shellscript goodies in my little scripting spell-book -> https://some-natalie.dev/grimoire/

Als nächstes folgen ab 17 Uhr die Live-Vorträge "#Grype und #Syft im Unternehmenseinsatz" und "#ReverseEngineering für Forward Engineers".

#live #sbom #malware #linux #kielux #opensource

💊Every treatment starts with accepting the diagnosis! Embrace the truth☝️
"You can be the next victim of the Software Supply Chain Attacks" UNLESS...
✍️Sign your software (#cosign)
🔔Do vulnerability scanning (#trivy #grype)
🚨 Protection at runtime (#kyverno #policycontroller)

If you ever wonder how #Trivy and #Grype compare, #GitLab did a pretty nice point-in-time comparison: https://gitlab.com/gitlab-org/gitlab/-/issues/327174

#infosec #ContainerSecurity #VulnerabilityScanner

Lets see if these supply-chain companies are willing to compromise on their product to do right by the volunteers that maintain them.

https://github.com/anchore/grype/pull/1152

I sorta knew implementing the parser for them was going to be a mistake on my end...

#grype #anchore #SupplyChain #linux #ArchLinux

#Grype

Client Info