{"id":16019831,"url":"https://github.com/fabasoad/pre-commit-grype","last_synced_at":"2025-07-22T06:04:57.498Z","repository":{"id":245565003,"uuid":"818481449","full_name":"fabasoad/pre-commit-grype","owner":"fabasoad","description":"pre-commit hooks to run grype","archived":false,"fork":false,"pushed_at":"2025-06-09T22:03:37.000Z","size":82,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-18T06:50:56.693Z","etag":null,"topics":["appsec","grype","pre-commit","pre-commit-hook","sast","sca","security","software-composition-analysis"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fabasoad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://www.bitcoinqrcodemaker.com/?style=bitcoin\u0026address=145HwyQAcv4vrzUumJhu7nWGAVBysX9jJH\u0026prefix=on","https://paypal.me/fabasoad"],"github":["fabasoad"],"ko_fi":"fabasoad","liberapay":"fabasoad"}},"created_at":"2024-06-22T00:53:12.000Z","updated_at":"2025-06-09T22:03:41.000Z","dependencies_parsed_at":"2025-02-20T23:19:22.667Z","dependency_job_id":"39338433-56ea-45a3-a35b-465e1504062e","html_url":"https://github.com/fabasoad/pre-commit-grype","commit_stats":null,"previous_names":["fabasoad/pre-commit-grype"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/fabasoad/pre-commit-grype","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabasoad%2Fpre-commit-grype","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabasoad%2Fpre-commit-grype/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabasoad%2Fpre-commit-grype/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabasoad%2Fpre-commit-grype/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fabasoad","download_url":"https://codeload.github.com/fabasoad/pre-commit-grype/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabasoad%2Fpre-commit-grype/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266437369,"owners_count":23928235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","grype","pre-commit","pre-commit-hook","sast","sca","security","software-composition-analysis"],"created_at":"2024-10-08T17:05:34.806Z","updated_at":"2025-07-22T06:04:57.488Z","avatar_url":"https://github.com/fabasoad.png","language":"Shell","readme":"# Grype pre-commit hooks\n\n[![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)\n![GitHub release](https://img.shields.io/github/v/release/fabasoad/pre-commit-grype?include_prereleases)\n![security](https://github.com/fabasoad/pre-commit-grype/actions/workflows/security.yml/badge.svg)\n![linting](https://github.com/fabasoad/pre-commit-grype/actions/workflows/linting.yml/badge.svg)\n![functional-tests](https://github.com/fabasoad/pre-commit-grype/actions/workflows/functional-tests.yml/badge.svg)\n\n## Table of Contents\n\n- [Grype pre-commit hooks](#grype-pre-commit-hooks)\n - [Table of Contents](#table-of-contents)\n - [How it works?](#how-it-works)\n - [Prerequisites](#prerequisites)\n - [Hooks](#hooks)\n - [grype-dir](#grype-dir)\n - [Customization](#customization)\n - [Description](#description)\n - [Parameters](#parameters)\n - [Grype](#grype)\n - [pre-commit-grype](#pre-commit-grype)\n - [Log level](#log-level)\n - [Log color](#log-color)\n - [Grype version](#grype-version)\n - [Clean cache](#clean-cache)\n - [Examples](#examples)\n - [Contributions](#contributions)\n\n## How it works?\n\nAt first hook tries to use globally installed `grype` tool. And if it doesn't exist\nthen hook installs `grype` into a `.fabasoad/pre-commit-grype` temporary directory\nthat will be removed after scanning is completed.\n\n## Prerequisites\n\nThe following tools have to be available on a machine prior using this pre-commit\nhook:\n\n- [bash \u003e=4.0](https://www.gnu.org/software/bash/)\n- [curl](https://curl.se/)\n- [jq](https://jqlang.github.io/jq/)\n\n## Hooks\n\n\u003c!-- markdownlint-disable-next-line MD013 --\u003e\n\n\u003e `\u003crev\u003e` in the examples below, is the latest revision tag from [fabasoad/pre-commit-grype](https://github.com/fabasoad/pre-commit-grype/releases)\n\u003e repository.\n\n### grype-dir\n\nThis hook runs [grype dir:.](https://github.com/anchore/grype?tab=readme-ov-file#supported-sources)\ncommand.\n\n```yaml\nrepos:\n - repo: https://github.com/fabasoad/pre-commit-grype\n rev: \u003crev\u003e\n hooks:\n - id: grype-dir\n```\n\n## Customization\n\n### Description\n\nThere are 2 ways to customize scanning for both `grype` and `pre-commit-grype` -\nenvironment variables and arguments passed to [args](https://pre-commit.com/#config-args).\n\nYou can pass arguments to the hook as well as to the `grype` itself. To distinguish\nparameters you need to use `--grype-args` for `grype` arguments and `--hook-args`\nfor `pre-commit-grype` arguments. Supported delimiter is `=`. So, use `--hook-args=\u003carg\u003e`\nbut not `--hook-args \u003carg\u003e`. Please find [Examples](#examples) for more details.\n\n### Parameters\n\n#### Grype\n\nYou can install `grype` locally and run `grype --help` to see all the available\narguments:\n\n\u003c!-- markdownlint-disable MD013 --\u003e\n\n```shell\n$ grype --version\ngrype 0.79.1\n\n$ grype --help\nA vulnerability scanner for container images, filesystems, and SBOMs.\n\nSupports the following image sources:\n grype yourrepo/yourimage:tag defaults to using images from a Docker daemon\n grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory\n\nYou can also explicitly specify the scheme to use:\n grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon\n grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon\n grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from \"docker save\"\n grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)\n grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)\n grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk\n grype dir:path/to/yourproject read directly from a path on disk (any directory)\n grype sbom:path/to/syft.json read Syft JSON from path on disk\n grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)\n grype purl:path/to/purl/file read a newline separated file of purls from a path on disk\n\nYou can also pipe in Syft JSON directly:\n syft yourimage:tag -o json | grype\n\nUsage:\n grype [IMAGE] [flags]\n grype [command]\n\nAvailable Commands:\n completion Generate a shell completion for Grype (listing local docker images)\n config show the grype configuration\n db vulnerability database operations\n explain Ask grype to explain a set of findings\n help Help about any command\n version show version information\n\nFlags:\n --add-cpes-if-none generate CPEs for packages with no CPE data\n --by-cve orient results by CVE instead of the original vulnerability ID when possible\n -c, --config string grype configuration file\n --distro string distro to match against in the format: \u003cdistro\u003e:\u003cversion\u003e\n --exclude stringArray exclude paths from being scanned using a glob expression\n -f, --fail-on string set the return code to 1 if a vulnerability is found with a severity \u003e= the given severity, options=[negligible low medium high critical]\n --file string file to write the default report output to (default is STDOUT)\n -h, --help help for grype\n --ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]\n --name string set the name of the target being analyzed\n --only-fixed ignore matches for vulnerabilities that are not fixed\n --only-notfixed ignore matches for vulnerabilities that are fixed\n -o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]\n --platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')\n -q, --quiet suppress all logging output\n -s, --scope string selection of layers to analyze, options=[squashed all-layers] (default \"squashed\")\n --show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)\n -t, --template string specify the path to a Go template file (requires 'template' output to be selected)\n -v, --verbose count increase verbosity (-v = info, -vv = debug)\n --version version for grype\n --vex stringArray a list of VEX documents to consider when producing scanning results\n\nUse \"grype [command] --help\" for more information about a command.\n```\n\n\u003c!-- markdownlint-enable MD013 --\u003e\n\n#### pre-commit-grype\n\nHere is the precedence order of `pre-commit-grype` tool:\n\n- Parameter passed to the hook as argument via `--hook-args`.\n- Environment variable.\n- Default value.\n\nFor example, if you set `PRE_COMMIT_GRYPE_LOG_LEVEL=warning` and `--hook-args=--log-level\nerror` then `error` value will be used.\n\n##### Log level\n\nWith this parameter you can control the log level of `pre-commit-grype` hook output.\nIt doesn't impact `grype` log level output. To control `grype` log level output\nplease look at the [Grype parameters](#grype).\n\n- Parameter name: `--log-level`\n- Environment variable: `PRE_COMMIT_GRYPE_LOG_LEVEL`\n- Possible values: `debug`, `info`, `warning`, `error`\n- Default: `info`\n\n##### Log color\n\nWith this parameter you can enable/disable the coloring of `pre-commit-grype`\nhook logs. It doesn't impact `grype` logs coloring.\n\n- Parameter name: `--log-color`\n- Environment variable: `PRE_COMMIT_GRYPE_LOG_COLOR`\n- Possible values: `true`, `false`\n- Default: `true`\n\n##### Grype version\n\nSpecifies specific `grype` version to use. This will work only if `grype` is not\nglobally installed, otherwise globally installed `grype` takes precedence.\n\n- Parameter name: `--grype-version`\n- Environment variable: `PRE_COMMIT_GRYPE_GRYPE_VERSION`\n- Possible values: [Grype version](https://github.com/anchore/grype/releases)\n- Default: `latest`\n\n##### Clean cache\n\nWith this parameter you can choose either to keep cache directory (`.fabasoad/pre-commit-grype`),\nor to remove it. By default, it removes cache directory. With `false` parameter\ncache directory will not be removed which means that if `grype` is not installed\nglobally every subsequent run won't download `grype` again. Don't forget to add\ncache directory into the `.gitignore` file.\n\n- Parameter name: `--clean-cache`\n- Environment variable: `PRE_COMMIT_GRYPE_CLEAN_CACHE`\n- Possible values: `true`, `false`\n- Default: `true`\n\n### Examples\n\nPass arguments separately from each other:\n\n```yaml\nrepos:\n - repo: https://github.com/fabasoad/pre-commit-grype\n rev: \u003crev\u003e\n hooks:\n - id: grype-dir\n args:\n - --hook-args=--log-level debug\n - --grype-args=--fail-on low\n - --grype-args=--by-cve\n```\n\nPass arguments altogether grouped by category:\n\n```yaml\nrepos:\n - repo: https://github.com/fabasoad/pre-commit-grype\n rev: \u003crev\u003e\n hooks:\n - id: grype-dir\n args:\n - --hook-args=--log-level debug\n - --grype-args=--fail-on low --by-cve\n```\n\nSet these parameters to have the minimal possible logs output:\n\n```yaml\nrepos:\n - repo: https://github.com/fabasoad/pre-commit-grype\n rev: \u003crev\u003e\n hooks:\n - id: grype-dir\n args:\n - --hook-args=--log-level=error\n - --grype-args=--quiet\n```\n\n## Contributions\n\n![Alt](https://repobeats.axiom.co/api/embed/53adabff87911035debaac973b792bd1b1cb0ef0.svg \"Repobeats analytics image\")\n","funding_links":["https://www.bitcoinqrcodemaker.com/?style=bitcoin\u0026address=145HwyQAcv4vrzUumJhu7nWGAVBysX9jJH\u0026prefix=on","https://paypal.me/fabasoad","https://github.com/sponsors/fabasoad","https://ko-fi.com/fabasoad","https://liberapay.com/fabasoad"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabasoad%2Fpre-commit-grype","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffabasoad%2Fpre-commit-grype","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabasoad%2Fpre-commit-grype/lists"}