Grype
Status
Section titled “Status”Version: 1.0.0 | Tests: Passing
{
"features": {
"ghcr.io/infrashift/trusted-devcontainer-features/grype:latest": {
"target_version": "0.108.0"
}
}
}Options
Section titled “Options”| Option | Type | Default | Description |
|---|---|---|---|
target_version | string | 0.108.0 | Select a supported Grype binary version |
target_checksum | string | "" | SHA256 checksum for the Grype binary |
Dependencies
Section titled “Dependencies”None — this feature is independent and has no dependencies.
How It Works
Section titled “How It Works”Grype is a vulnerability scanner from Anchore that can analyze container images, filesystems, and Software Bills of Materials (SBOMs) for known security vulnerabilities. This feature downloads the Grype binary from Anchore’s official GitHub releases and installs it into your devcontainer.
The Ansible playbook downloads the linux-amd64 tarball for the specified Grype version. If a SHA256 checksum is provided via the target_checksum option, it verifies the download against that checksum. If no checksum is provided, the playbook downloads the official checksums file from the release and uses it for verification. After validation, the binary is extracted to ~/.local/bin where it is available on PATH.
The playbook verifies the installation by running grype version to confirm the binary is functional. Grype has no dependencies on other features in this collection and can be installed standalone. Once installed, you can scan your project with commands like grype dir:. to check for vulnerabilities in your application dependencies, or grype <image> to scan a container image. Pair Grype with the Syft feature for a complete SBOM generation and vulnerability scanning workflow.