grype
A fast, open-source vulnerability scanner for container images and filesystems, developed by Anchore, that matches packages against multiple vulnerability databases to produce actionable CVE reports.
What is Grype?
The Grype image packages Anchore's open-source vulnerability scanner so you can run grype against container images, directories, and SBOMs inside CI/CD pipelines without installing it on the host. Grype scans container images and filesystems, matches discovered packages against databases including NVD, GitHub Advisories, and OS-specific feeds, and outputs structured vulnerability reports. It integrates naturally with Syft for SBOM generation and is widely used in DevSecOps pipelines for shift-left security scanning — catching CVEs before images reach production.
What is Echo's Grype image?
Echo's Grype image is a hardened build of Grype on Echo's hardened base. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your scanner. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For CI/CD scanning jobs where Grype runs as a one-shot container, the distroless variant is the leaner, more secure choice; the default variant is the right call if your pipeline wraps Grype with shell scripting or additional tooling.
What is the difference between Echo's Grype image and the public Grype image?
Public Grype images include OS-level tooling that is convenient for ad-hoc use but contributes CVEs that your scanner — ironically — will flag on the very image running your scans. Echo's build strips the base down to what Grype actually needs to execute, removing those CVEs without changing scan behavior or database update logic. As we covered in our post on OSS vulnerability scanning, the packages bundled into your scanner image are themselves a risk surface that's easy to overlook. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my Grype image with Echo's Grype image?
Yes. Echo's Grype image is a drop-in replacement. Update the FROM line in your Dockerfile (or the image reference in your manifests) and your scanner keeps working — the CVEs disappear, the behavior doesn't. Grype's database fetch, scan logic, and output formats are all preserved so your existing pipeline integrations continue without modification.
Is Echo's Grype image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use — unlike FIPS-compliant images that haven't been validated. This matters when Grype is running inside a FedRAMP boundary where the scanning toolchain itself is in scope.
What is Echo's vulnerability management SLA on the Grype image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version.
Is Echo's Grype image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For most CI scanning jobs, the distroless variant is the right choice — Grype doesn't need a shell to scan, and running it distroless closes off a whole class of attack paths in your pipeline.
How does Echo achieve such a drastic CVE reduction in Grype?
Echo's Grype image is built from source with only the absolute essentials needed to run the workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the Grype version that works for you without forcing a functional change for the sake of security. The result is a scanner that can scan others clean — and is clean itself.
Will Echo's Grype image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP — managing vulnerabilities, applying fixes, and using FIPS-validated cryptography — are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting. If Grype is part of your continuous monitoring or ATO scanning workflow, Echo's hardened image keeps it in-boundary and compliant.
.avif)
