Syft And Grype Integrate With Modern DevOps Environments For Security And Speed

SANTA BARBARA, CALIF., OCTOBER 6, 2020 — Anchore, Inc., the leading experts in policy-based workflow and compliance, is launching a collection of new open source tools for automating DevSecOps pipeline security and analysis. Syft and Grype are the first in a collection of tools designed for integration and performance. The tools analyze and scan container images and filesystems, allowing developers to enhance best practices within existing workflows and systems.

As cybersecurity breaches become more numerous and costly, traditional safeguarding tactics grow less effective. Incident response teams are often overwhelmed by having to constantly investigate the cause of previous breaches while developing new preventative measures as the pace of software delivery quickens. With Anchore developers have a unique opportunity to address problems before software is ever deployed and before an incident can occur.  

“Our mission at Anchore is to give developers the tools they need to build security into their everyday tasks,” said Anchore CTO Daniel Nurmi. “That means they need to work seamlessly with a large collection of other tools and systems, providing instant results so developers can act immediately. Syft and Grype were designed for exactly that purpose, and are the first of many tools to come.”

Syft analyzes container images and filesystems to create a Software Bill of Materials (SBOM), a comprehensive record of operating system packages and language artifacts. Using Syft, developers can inspect the contents of new software components before deciding to use them and maintain a comprehensive record of the third-party software included in their projects. Syft generates SBOMs that conform to the CycloneDX specification, providing interoperability with a range of software supply chain management tools.

Grype scans container images and filesystems for known vulnerabilities, matching contents against Anchore Feed Service data compiled from multiple public data sources.  Developers can use Grype to discover vulnerable components quickly inside projects as they are created and take the appropriate steps for remediation. The Visual Studio Code extension for Grype brings vulnerability scanning directly into the developer’s environment, rescanning projects regularly to watch for emerging vulnerabilities. Developers can easily trigger a Grype vulnerability scan of GitHub projects using the Anchore Container Scan GitHub Action.

“As an open source company, we do research and development in the open,” shared Anchore VP of Product Management Neil Levine. “In recent surveys, customers and community members agreed that security scanning can never be too fast and integration can never be too easy. We are looking forward to seeing how developers and DevOps teams use the tools while we focus on enhancing them with the policy features of our continuous compliance platform, Anchore Enterprise.”

Syft and Grype are available immediately at The Visual Studio Code extension can be found in the Visual Studio Marketplace, and the GitHub Action can be found in the GitHub Marketplace. Contributions, feature requests, and issue reports are welcome at the GitHub projects for each tool.