Skip to content
All features

Grype

Vulnerability matcher tuned for SBOM-driven workflows.

Grype from Anchore complements Trivy: it shines when you already have an SBOM. HarborGuard pipes Syft output straight into Grype, then cross-references findings with Trivy results. Grype catches a slightly different long-tail of language ecosystems and tends to flag low-noise reachability when configured.

What it scans

  • SBOMs in CycloneDX, SPDX, or Syft-native format
  • OS packages across major distributions
  • Language deps with stricter version constraints than Trivy

When to use it

  • Anywhere you already produce SBOMs — Grype matches them in seconds.
  • When you want a second opinion alongside Trivy.
  • Air-gapped environments — DB can be mirrored and pinned.

How HarborGuard runs Grype

01

Always paired with Syft output for SBOM-first scanning.

02

Custom match rules surface in the policy pack as overrides.

03

Per-engine attribution preserved on every deduplicated finding.

Output formats

JSON, Table, CycloneDX, SARIF, Embedded

Upstream

anchore/grype