{"id":19368448,"url":"https://github.com/anchore/grype-db","last_synced_at":"2026-01-30T01:48:46.025Z","repository":{"id":45046856,"uuid":"279378868","full_name":"anchore/grype-db","owner":"anchore","description":null,"archived":false,"fork":false,"pushed_at":"2025-04-02T12:57:23.000Z","size":2572,"stargazers_count":45,"open_issues_count":14,"forks_count":18,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-04-02T13:44:40.481Z","etag":null,"topics":["grype","hacktoberfest","sqlite","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anchore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-13T18:15:41.000Z","updated_at":"2025-04-02T12:55:57.000Z","dependencies_parsed_at":"2023-09-21T19:32:48.562Z","dependency_job_id":"da11d86c-0410-417f-8448-c913c0f1bc60","html_url":"https://github.com/anchore/grype-db","commit_stats":null,"previous_names":["anchore/siren-db"],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fgrype-db","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fgrype-db/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fgrype-db/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fgrype-db/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anchore","download_url":"https://codeload.github.com/anchore/grype-db/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247174418,"owners_count":20896078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["grype","hacktoberfest","sqlite","vulnerability"],"created_at":"2024-11-10T08:06:28.049Z","updated_at":"2026-01-30T01:48:45.974Z","avatar_url":"https://github.com/anchore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# grype-db\n\n**Application to create a [Grype](https://github.com/anchore/grype) vulnerability database from upstream vulnerability data sources.**\n\n[![GitHub release](https://img.shields.io/github/release/anchore/grype-db.svg)](https://github.com/anchore/grype-db/releases/latest)\n[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/anchore/grype-db/blob/main/LICENSE)\n[![Join our Discourse](https://img.shields.io/badge/Discourse-Join-blue?logo=discourse)](https://anchore.com/discourse)\n\n## Installation\n\n**Note**: Currently, Grype-DB is built only for Linux and macOS.\n\n### Recommended\n\n```bash\ncurl -sSfL https://raw.githubusercontent.com/anchore/grype-db/main/install.sh | sh -s -- -b /usr/local/bin\n```\n\n... or, you can specify a release version and destination directory for the installation:\n\n```\ncurl -sSfL https://raw.githubusercontent.com/anchore/grype-db/main/install.sh | sh -s -- -b \u003cDESTINATION_DIR\u003e \u003cRELEASE_VERSION\u003e\n```\n\n\u003e [!IMPORTANT]  \n\u003e You will require the `zstd` utility installed on your system to support the `package` command.\n\n## Usage\n\n`grype-db` takes the following options:\n\n```bash\ngrype-db [-g] [--dir=DIR] [--schema=SCHEMA] [--skip-validation] [--publish-base-url=URL] [-p PROVIDER ...]\n```\n\n### Pulling Data and Building the Database\n\nTo pull data from a specific provider or providers and build the database in one step, run `grype-db` with the `-g` flag and specify providers with the `-p` flag:\n\n```sh\ngrype-db -g -p nvd\n```\n\nThis example will build the database for the `nvd` provider. Multiple providers can be specified.\n\nIf no providers are specified, `grype-db` defaults to all available providers as generated by `vunnel list`. However, note that that accessing GitHub provider data requires a token to authenticate to the GitHub API. See [Getting Started Step-by-Step](https://github.com/anchore/grype-db#getting-started-step-by-step) for more information on adding a GitHub token.)\n\nTo download all provider data and build the `vulnerability.db` database, run:\n\n```sh\ngrype-db -g\n```\n\nBy default, `grype-db` will download provider data and build the database. To run these steps individually, use the `build` and `pull` subcommands.\n\n### Pulling Provider Data\n\nTo pull provider data without building the database:\n\n```sh\ngrype-db pull -g -p nvd\n```\n\nOmit the `-p` flag to target all available providers.\n\nNote that you can skip the `pull` step if you already have a local cache of vulnerability data, such as with `make download-all-provider-cache`.\n\n### Building the Database\n\nOnce provider data has been downloaded, run the following to build the database:\n\n```sh\ngrype-db build -g -p nvd\n```\n\nThe build command can take the following options:\n\n```sh\ngrype-db build [-g] [--dir=DIR] [--schema=SCHEMA] [--skip-validation] [-p PROVIDER ...]\n```\n\n### Package the Database\n\nYou can package the `vulnerability.db`, for example to serve the data or for use in CI. Note that you will need the zstd utility to be installed on your system to usethe `package` subcommand.\n\nTo package a built database, run:\n\n```sh\ngrype-db package\n```\n\nThis will package any database present in the `build` folder.\n\nThe `package` subcommand takes the following options:\n\n```\ngrype-db package [--dir=DIR] [--publish-base-url=URL]\n```\n\nThe `package` command archives the `vulnerability.db` file into a `tar.zstd` file. Additionally, a `latest.json`\nis generated to aid in serving one or more database archives for downstream consumption, where the consuming application should\nuse the listing file to discover archives available for download. The base URL used to create the download URL for each\ndatabase archive is controlled by the `package.base-url` configuration option.\n\n### Notes on the Cache\n\nThe `pull` command downloads and caches vulnerability data from upstream sources (e.g. NIST, redhat, github, canonical, etc.) into\na cache directory. The cache location is a platform dependent XDG directory, however, the location can be overridden with the `cache.dir`\nconfiguration option.\n\nThe `build` command processes the cached vuln data generate a `vulnerability.db` sqlite3 file. Additionally, a `metadata.json` file\nis created that is used in packaging and curation of the database file .In addition, a `provider-metadata.json` file is created that includes the last successful run date for each provider.\n\n### Cache Commands\n\nTo show the current state of the entire vulnerability data cache or a specific `PROVIDER`:\n\n```sh\ngrype-db cache status [--provider-name=PROVIDER ...]\n```\n\nTo back up all cached vulnerability data or a specific PROVIDER to a tar.gz file (`PATH`):\n\n```sh\ngrype-db cache backup [--path=PATH] [--provider-name=PROVIDER]\n```\n\nTo delete all cached vulnerability data or a specific `PROVIDER`:\n\n```sh\ngrype-db cache delete [--provider-name=PROVIDER]\n```\n\nTo restore vulnerability cache from a tar.gz file (`PATH`)\n\n```sh\ngrype-db cache restore [--path=PATH] [--delete-existing]\n```\n\n## Getting Started Step-by-Step\n\nIf you're running `grype-db` for the first time, you can set up using the following steps.\n\nFirst, [create a GitHub access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) to authenticate to the GitHub API. (Tokens can be generated on [this GitHub settings page](https://github.com/settings/tokens).) No specific permissions are needed. Using restrictive permissions settings and creating a short-lived token is highly recommended.\n\nSet your token as an environment variable:\n\n```sh\nGITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n```\n\nCreate and set a working directory:\n\n```sh\nmkdir -p ~/vulnerability-data \u0026\u0026 cd $_\n```\n\nCreate a Python virtual environment and activate it:\n\n```sh\npython -m venv venv \u0026\u0026 source venv/bin/activate\n```\n\nInstall [vunnel](https://github.com/anchore/vunnel):\n\n```sh\npip install vunnel\n```\n\nNow install `grype-db` as a binary in the working directory. (Note that this will not place `grype-db` on your path.)\n\n```sh\ncurl -sSfL https://raw.githubusercontent.com/anchore/grype-db/main/install.sh | sh -s -- -b .\n```\n\nCreate a configuration file for `grype-db` using the following here document. The command will automatically add the GitHub token you set earlier to the config, so no manual replacement is needed.\n\n```sh\ncat \u003c\u003c EOF \u003e ~/vulnerability-data/.grype-db.yaml\nprovider:\n  vunnel:\n    executor: local\n    generate-configs: true\n    env:\n      GITHUB_TOKEN: $GITHUB_TOKEN\nEOF\n```\n\nBuild the database from all providers. (Note that this command can take significant time to complete.)\n\n```sh\n./grype-db -g\n```\n\nOnce this command completes, you should have `data` and `build` folders with downloaded data and a built `vulnerability.db` file, among other contents.\n\n## DB Schemas\n\nThis repo supports building databases for all supported versions of grype, even when the data shape has changed.\nFor every change in the data shape over time, a new schema is created (see the DEVELOPING.md for details on how to bump the schema).\n\n**For every schema grype-db supports, we build a DB for that schema nightly. To reduce nightly DB maintenance, try to keep the schema bumps to a minimum during development.**\n\nOnce a schema has been created, the previous schema should be considered locked unless making bug fixes or updates related to [vunnel](https://github.com/anchore/vunnel), or otherwise upstream data shape changes.\n\nIf the development being done requires any of the following, then a **new schema is required to be created** (over further developing the current schema):\n\n- If a previous version of grype using the same schema would not function with the new changes\n- If the current version of grype using a previously published database (but still the same schema) would not function with the new changes\n\nWhere \"would not function\" means either grype will error out during processing, or the results are otherwise compromised (e.g. missing data that otherwise could/should have been found and reported).\n\nThe following kinds of changes **do not necessarily require a new schema**:\n\n- Adding a new data source\n- Removing an existing data source (as long as the grype matchers are not requiring its presence)\n\nThere are plenty of grey areas between these cases (e.g. changing the expected set of values for a field, or changing the semantics for a column) --use your best judgement.\n\nThis repo is responsible for publishing DBs with the latest vulnerability data for every supported schema daily.\nThis is achieved with the [Daily Data Sync](https://github.com/anchore/grype-db/actions/workflows/daily-data-sync.yaml) and [Daily DB Publisher](https://github.com/anchore/grype-db/actions/workflows/daily-db-publisher.yaml) GitHub Actions workflows.\nWhich schemas are built and which grype versions are used to verify functionality is controlled with the `grype-schema-version-mapping.json` file in the root of this repo\n(see the DEVELOPING.md for more details).\n\n## Configuration\n\n```yaml\n# suppress all output\n# same as -q ; GRYPE_DB_QUIET env var\nquiet: false\n\nlog:\n  # the log level; note: detailed logging suppress the ETUI\n  # same as GRYPE_DB_LOG_LEVEL env var\n  level: \"error\"\n\n  # location to write the log file (default is not to have a log file)\n  # same as GRYPE_DB_LOG_FILE env var\n  file: \"\"\n\nprovider:\n  # where to read and write all provider data. The state must be oriented as described \n  # in https://github.com/anchore/vunnel/tree/main/schema/provider-workspace-state .\n  # Note: all location references under `providers` should be relative to this directory\n  # same as GRYPE_DB_PROVIDER_ROOT env var\n  root: ./data\n\n  # names of providers to filter down to while running\n  # same as -p\n  include-filter: []\n  \n  vunnel:\n    # how to execute vunnel. Options are:\n    #  - \"docker\" (default): execute vunnel in a docker container\n    #  - \"local\": execute vunnel on the host from what is in your $PATH\n    executor: docker\n    \n    # the docker image to use when executing vunnel with executor=docker\n    docker-tag: latest\n    docker-image: ghcr.io/anchore/vunnel\n    \n    # generate additional provider configuration files based on the \"vunnel list\" command\n    # same as -g ; GRYPE_DB_GENERATE_CONFIGS env var\n    generate-configs: true\n    \n    # providers to exclude from the \"vunnel list\" command (only applies when generate-configs=true)\n    exclude-providers:\n      - centos\n    \n    # environment variables to set when executing vunnel\n    env: {}\n    \n  # manually crafted provider configurations. (advanced use only)\n  configs: []\n\npull:\n  # the number of concurrent workers to use when pulling and processing data\n  parallelism: 1\n\nbuild:\n  # where to place the built SQLite DB that is built from the \"build\" command\n  # same as --dir; GRYPE_DB_BUILD_DIR env var\n  dir: \"./build\"\n\n  # the DB schema version to build\n  # same as --schema-version; GRYPE_DB_BUILD_SCHEMA_VERSION env var\n  schema-version: 5\n\n  # skip validation of the provider state\n  skip-validation: false\n\npackage:\n  # this is the base URL that is referenced in the listing file created during the \"package\" command\n  # same as GRYPE_DB_PACKAGE_PUBLISH_BASE_URL env var\n  publish-base-url: \"https://localhost:8080/grype/databases\"\n\n  # limit the providers to pull based off of this list. (empty list means pull all providers)\n  provider-names: []\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fgrype-db","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanchore%2Fgrype-db","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fgrype-db/lists"}