# Scan Containers with Grype

Container images often ship with vulnerable packages that are hard to prioritize. This skill helps Claude, Codex, and Claude Code run Grype scans, interpret results, and add CI/CD gates.

## Install

```bash
npx skillstore add agentsecops/container-grype
```

## Metadata

- - Status: approved
- - Slug: agentsecops-container-grype
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/devsecops/container-grype
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 75
- - Public page: https://skillstore.pages.dev/skills/agentsecops-container-grype
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-container-grype/manifest

## Capabilities

- Guides Grype scans for container images, filesystems, and SBOM files.
- Explains severity thresholds for CI/CD pipeline security gates.
- Helps prioritize findings using CVSS, EPSS, and CISA KEV context.
- Provides example configurations for GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, and Tekton.
- Describes output formats including table, JSON, SARIF, and CycloneDX.
- Includes remediation guidance for vulnerable packages and base images.

## Use Cases

- Block risky container releases: Add Grype scans to build pipelines and fail releases when high or critical vulnerabilities are found.
- Prioritize remediation work: Rank container findings using severity, exploit probability, known exploitation, fix availability, and affected package context.
- Prepare audit evidence: Generate repeatable scan reports and artifacts that support vulnerability management and software supply chain controls.

## Prompt Templates

### Run a first scan

```
Use the container-grype skill to scan my image named <image>. Explain the command, expected output, and how to read critical and high findings.
```

### Add a CI gate

```
Use the container-grype skill to design a CI/CD Grype scan for <platform>. Fail on high severity and save a human-readable report as an artifact.
```

### Prioritize a report

```
Use the container-grype skill to help prioritize my Grype results. Focus on CISA KEV, EPSS, CVSS, fix availability, and package ownership.
```

### Design an enterprise workflow

```
Use the container-grype skill to design a container vulnerability management workflow across build, registry, deployment, and scheduled rescans.
```

## Limitations

- Requires Grype and any container tooling to be installed in the user environment.
- Does not prove exploitability for every reported vulnerability.
- CI templates need review before production use, especially remote installers and Docker socket access.
- Scan quality depends on current vulnerability databases and accurate package detection.

## Best Practices

- Pin scanner versions and verify downloads before using CI templates in production.
- Treat KEV matches and high EPSS vulnerabilities as urgent even when CVSS is lower.
- Store scan reports securely because package inventories can reveal application architecture.

## Anti Patterns

- Do not copy remote installer commands into production CI without verification.
- Do not mount the Docker socket into shared runners unless the runner is isolated and trusted.
- Do not suppress vulnerabilities without documented reason, owner, and review date.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T06:18:51.583\+00:00
- - Summary: Static analysis found many command, network, filesystem, environment, and script patterns, but most are documentation examples for legitimate vulnerability scanning workflows. The confirmed risks are operational: some CI templates install tools with curl piped to a shell and one Jenkins example mounts the Docker socket, so publication is acceptable only with clear warnings and review guidance.

## Stats

- - Views: 242
- - Downloads: 6
- - Favorites: 0
- - Popularity score: 0
