October 9, 2020

SD Times Open Source Project of the Week: Syft and Grype

SD Times Open Source Project of the Week: Syft and Grype

SD Times Open Source Project of the Week: Syft and Grype

This week’s highlighted open-source project is actually a collection of tools. Compliance company Anchore recently announced it would be launching a suite of open-source tools to help companies automated DevSecOps pipeline security and analysis. The first of those tools to be released are Syft and Grype.

Syft analyzes container images and filesystems, then creates a bill of materials, which is a record of all operating system packages and language artifacts. Developers can use Syft to inspect the contents of new software components before deciding to use them. It is also helpful in maintaining a record of third-party software included in a project.

Grype scans container images and filesystems for known vulnerabilities. It matches the contents against data compiled from multiple data sources. Developers can use Grype to quickly discover vulnerable components and take the appropriate remediation steps. 

“As an open source company, we do research and development in the open,” said Neil Levine, vice president of product management at Anchore. “In recent surveys, customers and community members agreed that security scanning can never be too fast and integration can never be too easy. We are looking forward to seeing how developers and DevOps teams use the tools while we focus on enhancing them with the policy features of our continuous compliance platform, Anchore Enterprise.”

Syft and Grype can be accessed in the Anchore Toolbox here