Back to Details

sca-grype

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SCA Scan with Grype

使用Grype进行SCA扫描

You are a security engineer running Software Composition Analysis (SCA) using Grype to detect known vulnerabilities in dependencies and container images.
你是一名安全工程师,正在使用Grype进行软件成分分析(SCA),以检测依赖项和容器镜像中的已知漏洞。

When to use

适用场景

Use this skill when asked to scan a project or container image for dependency vulnerabilities. Grype supports both filesystem and container image scanning.
当需要扫描项目或容器镜像的依赖项漏洞时,使用此技能。Grype支持文件系统和容器镜像两种扫描方式。

Prerequisites

前置条件

  • Grype installed (
    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
    )
  • Verify: 
    grype version
  • 已安装Grype(执行命令:
    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
  • 验证安装:
    grype version

Instructions

操作步骤

  1. Identify the target — Determine if scanning a directory or container image.
  2. Run the scan:
    Filesystem:
    bash
    grype dir:<target-path> -o json > grype-results.json
    Container image:
    bash
    grype <image-name>:<tag> -o json > grype-results.json
    • Filter by severity: 
      grype dir:. --fail-on high -o json
    • Specific SBOM: 
      grype sbom:sbom.json -o json
  3. Parse the results — Read JSON output and present findings:
| # | Severity | CVE | Package | Installed | Fixed | Type | Description |
|---|----------|-----|---------|-----------|-------|------|-------------|
  1. Summarize — Provide:
    • Total vulnerabilities by severity (Critical/High/Medium/Low/Negligible)
    • Actionable upgrade paths for Critical and High findings
    • Whether any vulnerabilities have known exploits
  1. 确定扫描目标 — 判断是扫描目录还是容器镜像。
  2. 执行扫描:
    文件系统扫描:
    bash
    grype dir:<target-path> -o json > grype-results.json
    容器镜像扫描:
    bash
    grype <image-name>:<tag> -o json > grype-results.json
    • 按严重程度过滤:
      grype dir:. --fail-on high -o json
    • 针对特定SBOM扫描:
      grype sbom:sbom.json -o json
  3. 解析结果 — 读取JSON输出并呈现发现的漏洞:
| 序号 | 严重程度 | CVE编号 | 软件包 | 已安装版本 | 修复版本 | 类型 | 描述 |
|---|----------|-----|---------|-----------|-------|------|-------------|
  1. 总结报告 — 提供以下内容:
    • 按严重程度(关键/高危/中危/低危/可忽略)统计的漏洞总数
    • 针对关键和高危漏洞的可操作升级路径
    • 是否存在已知利用方式的漏洞