This is the multi-page printable view of this section. Click here to print.
About
1 - Events
Open Source Live Streams
Almost every Thursday the OSS team holds a “Gardening” live stream on the Anchore YouTube channel. Each week, we announce what time the live stream is happening in the Announcements on Discourse.
The streams are recorded and archived in our Live stream playlist.
Community Meetings
We hold open meetings with the community, on alternate Thursdays. These are on Zoom, and are not recorded or streamed. There is an optional agenda which can be filled in. Everyone is welcome. A webcam is not required.
Anchore Events
Anchore has a separate Events page, for announcing industry & corporate events, and webinars.
2 - Adopters
Our tools are used by organisations and developer teams of all sizes. Below is a small sample of users of our tools, in public GitHub repositories.
Docker
SAP
Grafana
OpenTelemetry
Wolfi
Kubescape
More organisations below are all adopters of our tools, in public GitHub repositories.
Syft
| Repository | Stars |
|---|---|
 derailed / k9s | 31025 |
 kubescape / kubescape | 10979 |
 anchore / grype | 10629 |
 deepfence / ThreatMapper | 5142 |
 zarf-dev / zarf | 1651 |
 vdaas / vald | 1636 |
 helm / chart-testing | 1561 |
 lunasec-io / lunasec | 1456 |
 openclarity / openclarity | 1427 |
 guacsec / guac | 1406 |
 SAP / jenkins-library | 800 |
| helm / chart-releaser | 760 |
 safedep / vet | 729 |
 in-toto / witness | 494 |
 xeol-io / xeol | 409 |
 project-stacker / stacker | 289 |
 slsa-framework / slsa-verifier | 282 |
 ckotzbauer / sbom-operator | 206 |
 gitpod-io / leeway | 169 |
 go-sigma / sigma | 167 |
 docker / sbom-cli-plugin | 156 |
 vulncheck-oss / cli | 139 |
 agntcy / dir | 108 |
| anchore / grant | 104 |
| ckotzbauer / vulnerability-operator | 85 |
 wolfi-dev / wolfictl | 67 |
| agntcy / workflow-srv-mgr | 60 |
 Checkmarx / ast-cli | 57 |
 bottlerocket-os / bottlerocket-sdk | 56 |
 sammcj / mcp-devtools | 55 |
| anchore / grype-db | 54 |
Grype
| Repository | Stars |
|---|---|
| derailed / k9s | 31025 |
| kubescape / kubescape | 10979 |
| deepfence / ThreatMapper | 5142 |
| zarf-dev / zarf | 1651 |
| vdaas / vald | 1636 |
| lunasec-io / lunasec | 1456 |
| openclarity / openclarity | 1427 |
| xeol-io / xeol | 409 |
| slsa-framework / slsa-verifier | 282 |
| gitpod-io / leeway | 169 |
| ckotzbauer / vulnerability-operator | 85 |
| wolfi-dev / wolfictl | 67 |
| sammcj / mcp-devtools | 55 |
| anchore / grype-db | 54 |
SBOM Action
Scan Action
Generated using github-dependents-info, by Nicolas Vuillamy"
3 - Discussion
Official platforms
Below are platforms maintained and monitored by Anchore OSS Team staff.
Discourse
We have an official community Discourse for discussion of the Anchore OSS tools.
Video
We post OSS and Anchore Enterprise related content on our YouTube channel.
Social
Find and engage with us on various social media platforms.
| Mastodon | BlueSky | X | |
|---|---|---|---|
| Syft | @syft@fosstodon.org | @syftproject.bsky.social | @syftproject |
| Grype | @grype@fosstodon.org | @grypeproject.bsky.social | @grypeproject |
| Anchore | @anchore@mstdn.business | @anchore.com | @anchore |
4 - Glossary
A
Artifact
In Syft’s JSON output format, “artifacts” refers to the array of software packages discovered during scanning. Each artifact represents a single package (library, application, OS package, etc.) with its metadata, version, licenses, locations, and identifiers like CPE and PURL. This is distinct from general software artifacts like binaries or container images.
Related documentation: Working with Syft JSON
Attestation
A cryptographically signed statement about a software artifact that provides verifiable claims about its properties, such as provenance, build process, or security scan results. Attestations establish trust in the software supply chain by allowing you to verify that an SBOM truly represents a specific artifact or that vulnerability scan results are authentic.
Why it matters: Attestations enable you to verify the authenticity and integrity of SBOMs generated by Syft and vulnerability reports from Grype, ensuring they haven’t been tampered with.
C
Cataloger
A cataloger is a component within Syft that specializes in discovering and extracting package information from specific ecosystems or file formats.
Each cataloger knows how to find and parse packages for a particular type (e.g., apk-cataloger for Alpine packages, npm-cataloger for Node.js packages).
When Syft scans a target, it runs multiple catalogers to comprehensively discover all software components.
Why it matters: The foundBy field in Syft’s JSON output tells you which cataloger discovered each package, which can help debug why certain packages appear in your SBOM or troubleshoot scanning issues.
Related documentation: Working with Syft JSON
Container image
A lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, runtime, system tools, libraries, and settings. Container images are built from layers and typically run using container runtimes like Docker or containerd. See also OCI.
Why it matters: Both Syft and Grype can scan container images directly without requiring them to be running. Syft generates SBOMs from container images, and Grype scans them for vulnerabilities.
Related documentation: SBOM Generation, Vulnerability Scanning
CPE
Common Platform Enumeration (CPE) is a standardized method for describing and identifying software applications, operating systems, and hardware devices. CPEs are used in vulnerability databases to match software components with known vulnerabilities.
Formats:
- URI binding:
cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language} - Formatted string:
cpe:2.3:{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}:{sw_edition}:{target_sw}:{target_hw}:{other} - Well-Formed Name (WFN):
cpe:2.3:wfn:[attributes]
Examples:
cpe:/a:mozilla:firefox:68.0::~~~en-us~~cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*wfn:[part="a", vendor="microsoft", product="internet_explorer",version="8\.0\.6001", update="beta", edition=ANY, language=ANY]
Why it matters: Syft generates CPEs for discovered packages (from the NVD dictionary or synthetic generation), which Grype then uses to match packages against vulnerability data. Understanding CPEs helps you troubleshoot why certain vulnerabilities are or aren’t being detected relative to vulnerabilities from NVD.
External resources:
Related documentation: Working with Syft JSON
CVE
Common Vulnerabilities and Exposures (CVE) is a standardized identifier for publicly known security vulnerabilities. Each CVE ID uniquely identifies a specific vulnerability and provides a common reference point for discussing and tracking security issues.
Format example: CVE-2024-12345
Why it matters: Grype reports vulnerabilities by their CVE IDs, making it easy to research specific issues, understand their impact, and find remediation guidance. Each match in a Grype scan references one or more CVE IDs.
External resources:
Related documentation: Vulnerability Scanning
CVSS
Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS (base) scores range from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.
Severity ranges:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
There are more dimensions to CVSS, including Temporal and Environmental scores, but the Base score is the most commonly used as a way to quickly assess severity.
Why it matters: Grype uses CVSS scores to categorize vulnerability severity, helping you prioritize which issues to fix first. You can filter Grype results by severity level to focus on the most critical vulnerabilities.
External resources:
Related documentation: Vulnerability Scanning
CycloneDX
CycloneDX is an open-source standard for creating Software Bill of Materials (SBOMs), supporting JSON and XML representations.
Why it matters: Syft can generate SBOMs in CycloneDX format (-o cyclonedx-json or -o cyclonedx-xml), which is widely supported by security tools and compliance platforms.
Grype can also scan CycloneDX SBOMs for vulnerabilities.
External resources:
Related documentation: SBOM Generation
D
Dependency
A software component that another piece of software relies on to function. Dependencies can be direct (explicitly required by your code) or transitive (required by your dependencies). Understanding and tracking dependencies is crucial for security and license compliance.
Why it matters: Syft catalogs both direct and transitive dependencies in your software, creating a complete inventory. Grype then scans all dependencies for vulnerabilities, not just your direct dependencies—important because transitive dependencies often contain hidden security risks.
Distro
Short for “distribution”, referring to a specific Linux distribution like Alpine, Ubuntu, Debian, or Red Hat. The distro information includes the distribution name and version (e.g., “alpine 3.18”).
Why it matters: Grype uses distro information to match OS packages against the correct vulnerability database.
Syft automatically detects the distro from files like /etc/os-release and includes it in the SBOM, ensuring accurate vulnerability matching.
Related documentation: Working with Syft JSON
Docker
Docker is a platform for developing, shipping, and running applications in containers. While Docker is a specific implementation, the term is often used colloquially to refer to container technology in general. See Container image and OCI.
Why it matters: Syft and Grype can pull and scan images directly from Docker registries or analyze images in your local Docker daemon without needing Docker to be installed.
External resources:
E
Ecosystem
In software, an ecosystem refers to a package management system and its associated community, tools, and conventions. Examples include npm (JavaScript), PyPI (Python), Maven Central (Java), and RubyGems (Ruby). Different ecosystems have different package formats, naming conventions, and vulnerability data sources.
Why it matters: Syft supports dozens of package ecosystems, and each uses a different cataloger. The ecosystem determines how packages are identified (PURL type), which metadata is captured, and which vulnerability data sources Grype uses for matching.
Related documentation: SBOM Generation
EPSS
Exploit Prediction Scoring System (EPSS) is a data-driven framework that estimates the probability that a software vulnerability will be exploited in the wild within the next 30 days.
EPSS provides two complementary metrics:
- Score: A probability value from 0.0 to 1.0 (0% to 100%) indicating the likelihood of exploitation. For example, a score of 0.00034 means a 0.034% probability of exploitation.
- Percentile: A ranking showing what percentage of all CVEs have a lower EPSS score. For example, a percentile of 0.09274 means this CVE scores higher than 9.274% of all tracked vulnerabilities.
Unlike CVSS which measures theoretical severity, EPSS predicts actual exploitation probability by analyzing factors like available exploits, social media activity, and observed attacks (among other signals).
Why it matters: EPSS helps you prioritize vulnerabilities more effectively than severity alone. A critical CVSS vulnerability with a low EPSS score might be less urgent than a medium severity issue with a high EPSS score. Grype can display EPSS scores alongside CVSS to help you focus remediation efforts on vulnerabilities that are both severe and likely to be exploited.
External resources:
Related documentation: Vulnerability Scanning
F
False positive
In the context of scanning for vulnerabilities, a false positive is a vulnerability-package match reported by a scanner that doesn’t actually affect the software package in question. False positives can occur due to incorrect CPE matching, version misidentification, or when a vulnerability applies to one variant of a package but not another.
Why it matters: When Grype reports a false positive, you can use VEX documents or Grype’s ignore rules to suppress it, preventing alert fatigue and focusing on real security issues. If you believe a match is incorrect, you can report it on GitHub to help improve Grype for everyone.
False negative
In the context of scanning for vulnerabilities, a false negative occurs when a scanner fails to detect a vulnerability that actually affects a software package. False negatives can happen when vulnerability data is incomplete, when a package uses non-standard naming or versioning, when CPE or PURL identifiers don’t match correctly, or when the vulnerability database hasn’t been updated yet.
Why it matters: False negatives are more dangerous than false positives because they create a false sense of security. To minimize false negatives, keep Grype’s vulnerability database updated regularly and understand that no scanner catches 100% of vulnerabilities—defense in depth and multiple security controls are essential.
K
KEV
Known Exploited Vulnerability (KEV) is a designation for vulnerabilities that have been confirmed as actively exploited in real-world attacks. CISA (Cybersecurity and Infrastructure Security Agency) maintains the authoritative KEV catalog, which lists CVEs with evidence of active exploitation and provides binding operational directives for federal agencies.
The CISA KEV catalog includes:
- CVE identifiers for exploited vulnerabilities
- The product and vendor affected
- A brief description of the vulnerability
- Required remediation actions
- Due dates for federal agencies to patch
Vulnerabilities are added to the KEV catalog based on reliable evidence of active exploitation, such as public reporting, threat intelligence, or incident response data.
Why it matters: KEV status is a strong signal for prioritization—these vulnerabilities are being actively exploited right now. When Grype identifies a vulnerability that’s on the CISA KEV list, you should treat it as urgent regardless of CVSS score. A medium-severity KEV vulnerability poses more immediate risk than a critical-severity vulnerability that’s never been exploited. Some organizations make KEV remediation mandatory within tight timeframes (e.g., 15 days for critical KEVs).
External resources:
Related documentation: Vulnerability Scanning
L
Layer
Container images are built as a series of filesystem layers, where each layer represents changes from a Dockerfile instruction. Layers are stacked together to create the final filesystem.
Why it matters: By default, Syft scans only the “squashed” view of an image (what you’d see if the container were running).
Use --scope all-layers to scan all layers, which can reveal packages that were installed then deleted, potentially exposing vulnerabilities in build-time dependencies.
Related documentation: SBOM Generation
License
A legal instrument governing the use and distribution of software. Software licenses range from permissive (MIT, Apache) to copyleft (GPL) to proprietary.
Why it matters: Syft extracts license information from packages and includes it in SBOMs, helping you ensure compliance with open source licenses and identify packages with incompatible or restricted licenses.
Related documentation: License Compliance
M
Match
A match is a vulnerability finding in Grype’s output, representing a single package-vulnerability pair. Each match indicates that a specific package version is affected by a particular CVE.
Related documentation: Vulnerability Scanning
Matcher
A matcher is a component within Grype that compares package information against vulnerability data using specific matching strategies. Different matchers handle different package types or ecosystems (e.g., distro matcher for OS packages, language matcher for application dependencies).
Why it matters: Grype uses multiple matchers to ensure comprehensive vulnerability coverage. The matcher used for each finding is included in detailed output, helping you understand how the match was made.
N
NVD
National Vulnerability Database (NVD) is the U.S. government repository known software vulnerabilities. It provides comprehensive vulnerability information including CVE IDs, CVSS scores, and affected software configurations. The NVD is maintained by NIST.
Why it matters: The NVD is one of the primary vulnerability data sources used by Grype. Syft also uses the NVD’s CPE dictionary to generate CPEs for packages, enabling accurate vulnerability matching.
External resources:
Related documentation: Vulnerability Scanning
O
OCI
Open Container Initiative (OCI) is an open governance structure for creating industry standards around container formats and runtimes. The OCI Image Specification defines the standard format for container images, ensuring interoperability across different container tools and platforms.
Why it matters: Syft and Grype work with OCI-compliant images from any registry (Docker Hub, GitHub Container Registry, Amazon ECR, etc.), not just Docker images. They can read images in OCI layout format directly from disk.
External resources:
P
Package
A bundle of software that can be installed and managed by a package manager. Packages typically include the software itself, metadata (like version and dependencies), and installation instructions. Packages are the fundamental units tracked in an SBOM.
Why it matters: Every entry in a Syft-generated SBOM represents a package. Grype matches packages against vulnerability data to find security issues. Understanding what constitutes a “package” in different ecosystems helps you interpret SBOM contents.
Package manager
A tool that automates the process of installing, upgrading, configuring, and removing software packages. Examples include npm, pip, apt, yum, and Maven. Package managers maintain repositories of available packages and handle dependency resolution.
Why it matters: Syft discovers packages by reading package manager metadata files (like package.json, requirements.txt, or /var/lib/dpkg/status).
Each package manager stores information differently, which is why Syft needs ecosystem-specific catalogers.
Provenance
Information about the origin and build process of a software artifact, including who built it, when, from what source code, and using what tools. Build provenance helps verify that software was built as expected and hasn’t been tampered with.
Why it matters: SBOMs generated by Syft during builds can be combined with provenance information to create comprehensive supply chain attestations, enabling you to verify both what’s in your software and how it was built.
External resources:
PURL
Package URL (PURL) is a standardized way to identify and locate software packages across different package managers and ecosystems. PURLs provide a uniform identifier that works across different systems.
Format: pkg:type/namespace/name@version?qualifiers#subpath
Example: pkg:npm/lodash@4.17.21
Why it matters: Syft generates PURLs for all discovered packages, and Grype uses PURLs as one of the primary identifiers for vulnerability matching. PURLs provide a consistent way to refer to packages across different SBOM formats.
External resources:
Related documentation: Working with Syft JSON
R
Relationship
In Syft’s JSON output, relationships describe connections between artifacts (packages), files, and sources (what was scanned). For example, a relationship might indicate that a file is “contained-by” a package, or that one package “depends-on” another.
Why it matters: Relationships provide the graph structure of your software, showing not just what packages exist but how they’re connected. This is essential for understanding dependency chains and reachability analysis.
Related documentation: Working with Syft JSON
S
SBOM
Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and modules that make up a piece of software. Like a list of ingredients on food packaging, an SBOM provides transparency into what’s included in your software, enabling security analysis, license compliance, and supply chain risk management.
Why it matters: Syft generates SBOMs that you can use with Grype for vulnerability scanning, share with customers for transparency, or use for license compliance. SBOMs are becoming required by regulations and standards like Executive Order 14028.
External resources:
Related documentation: SBOM Generation
Severity
A classification of how serious a vulnerability is, typically based on CVSS scores. Common severity levels are Critical, High, Medium, Low, and Negligible (or None).
Why it matters: Grype reports vulnerability severity to help you prioritize remediation efforts. You can filter Grype output by severity (e.g., --fail-on high to fail CI builds for high or critical vulnerabilities).
Related documentation: Vulnerability Scanning
Software supply chain
The software supply chain encompasses all the components, processes, and steps involved in creating, building, and delivering software. This includes source code, dependencies, build tools, CI/CD pipelines, and distribution mechanisms. Securing the software supply chain helps prevent attacks that target the development and delivery process.
Why it matters: Syft and Grype are key tools in supply chain security. Syft provides visibility into what’s in your software (SBOM), and Grype identifies known vulnerabilities, helping you secure each link in the chain.
Source
In Syft’s JSON output, the “source” object describes what was scanned—whether it was a container image, directory, file archive, or other input. It includes details like image name, digest, and tags.
Why it matters: The source information helps you correlate SBOMs with specific artifacts, especially important when tracking multiple image versions or builds.
Related documentation: Working with Syft JSON
SPDX
Software Package Data Exchange (SPDX) is an open standard for communicating software bill of materials information, including components, licenses, copyrights, and security references. SPDX is an ISO/IEC standard (ISO/IEC 5962:2021) and supports multiple formats including JSON, YAML, XML, and tag-value.
Why it matters: Syft can generate SBOMs in SPDX format (-o spdx-json or -o spdx-tag-value), which is widely supported by compliance tools and required by many organizations and regulations.
Grype can also scan SPDX SBOMs for vulnerabilities.
External resources:
Related documentation: SBOM Generation
Squash
The “squashed” view of a container image represents the final filesystem that would be visible if you ran the container. It’s the result of applying all image layers in sequence, where later layers can override or delete files from earlier layers.
Why it matters: Syft scans the squashed view by default (what you actually run), but you can use --scope all-layers to also see packages that existed in intermediate layers but were deleted before the final image.
Related documentation: SBOM Generation
V
VEX
Vulnerability Exploitability eXchange (VEX) is a series of formats for communicating information about the exploitability status of vulnerabilities in software products. VEX documents allow software vendors to provide context about whether identified vulnerabilities actually affect their product, helping users prioritize remediation efforts.
Why it matters: Grype can consume VEX documents to suppress false positives or provide additional context about vulnerabilities. When Grype reports a vulnerability that doesn’t actually affect your application, you can create a VEX document explaining why it’s not exploitable.
External resources:
Related documentation: Vulnerability Scanning
Vulnerability
A security weakness, flaw, or defect in software that can be exploited by an attacker to perform unauthorized actions, compromise systems, steal data, or cause harm. Vulnerabilities can arise from coding errors, design flaws, misconfigurations, or outdated dependencies with known security issues.
Not all vulnerabilities affect all users of a package. Whether a vulnerability impacts you depends on:
- The specific version you’re using
- Which features or code paths you actually invoke
- Your deployment configuration and environment
- Whether compensating security controls are in place
Why it matters: Grype identifies vulnerabilities in the packages discovered by Syft, enabling you to find and fix security issues before they can be exploited. Not all vulnerabilities are equally serious—use severity ratings (CVSS) and exploitation probability (EPSS) to prioritize fixes. Understanding the context of a vulnerability helps you assess real risk rather than just responding to every CVE.
External resources:
Related documentation: Vulnerability Scanning
Vulnerability database
A repository of known security vulnerabilities, their affected software versions, severity scores, and remediation information. Vulnerability databases aggregate data from multiple sources like NVD, security advisories, and vendor bulletins.
Why it matters: Grype downloads and maintains a local vulnerability database that’s updated daily. The database quality directly impacts scan accuracy—Grype uses curated, high-quality data from multiple providers to minimize false positives and false negatives.
Related documentation: Vulnerability Database
Vulnerability scanner
A tool that identifies known security vulnerabilities in software by comparing components against vulnerability databases. Vulnerability scanners like Grype analyze software artifacts (container images, filesystems, or SBOMs) and report potential security issues that should be addressed.
Why it matters: Grype is a vulnerability scanner that works seamlessly with Syft-generated SBOMs. You can scan images directly with Grype, or generate an SBOM with Syft first and scan it separately, enabling workflows where SBOMs are generated once and scanned multiple times as new vulnerabilities are discovered.
Related documentation: Vulnerability Scanning