Blog Engineering How to secure your container images with GitLab and Grype
Published on: July 28, 2021
4 min read

How to secure your container images with GitLab and Grype

Learn how to start detecting vulnerabilities in your container images in just a few steps.


Support for the Grype scanner in the GitLab Container Scanning analyzer is being deprecated in GitLab 16.9 and will be removed in GitLab 17.0. Users are advised to use the default setting for CS_ANALYZER_IMAGE, which uses the Trivy scanner. Users who desire to continue using Grype can use the Security Scanner Integration documentation to create their own integration with GitLab.

The importance of container image security

Thanks to containers, what it means to "ship software" has changed dramatically. Engineering teams have shifted to produce container images and use these container images to deploy their software. Because of this change teams are now shipping significantly more software alongside their app – whether they realize it or not.

Besides packaging an application, container images also include hundreds of binaries and libraries. These binaries and libraries are included in the container image produced by the team because the process of creating a container image requires teams to select a base image. A base image is a preexisting container image on which to "base" their own container image. In doing so, all software contained in the base image is inherited into the team's new image.

The shift to containers has a monumental impact on security. Now, anyone that deploys your team's container image could be deploying software with known vulnerabilities. Similarly, other teams that base their container images on your team's image will inherit any vulnerabilities present in your team's image. It's crucial that teams have a solution in place for detecting these vulnerabilities in the container images they're using.

Container Scanning with Grype

Fortunately, GitLab 14.0 offers a new way for teams to tackle this challenge: Grype. Anchore developed this state-of-the-art vulnerability scanner, which is now available as part of GitLab's Container Scanning feature.

Grype is an advanced vulnerability scanner because it performs deep inspection of the software installed in a container image, and it uses this detailed information to produce better matches with vulnerability data.

Grype is a particularly powerful tool for security-minded engineers to investigate and remediate findings because it gives comprehensive information in the vulnerability analysis, showing exactly how the tool determined vulnerability X matched software package Y. Grype provides the transparency and detail necessary for any reported vulnerability to investigate why the image vulnerability is being reported. Some examples of what Grype can identify include: The exact image layer and file path where a package is installed, the source of the vulnerability data, available patches, and which parameters of the vulnerability record matched attributes of the package, among other things.

"We are excited to embed these very robust container scanning features of Grype within the GitLab DevOps platform," says Sam White, senior product manager of Protect at GitLab. "Our built-in security enables DevOps velocity with confidence and these added features brings even greater security for cloud native applications."

Get started with Grype and GitLab

Follow these steps to get set up GitLab's integration with Grype.

What you'll need:

  • GitLab Ultimate
  • Access to an image in a container registry (such as the container registry in your GitLab project)
  • Ensure your CI/CD pipeline meets all of the requirements for Container Scanning.

How to start scanning with Grype

To get started, just add the following snippet to your project's .gitlab-ci.yml file:

  - template: Security/Container-Scanning.gitlab-ci.yml


By default, the Container Scanning analyzer makes some assumptions about your target container image's URL and tag. You can have the scanner analyze any container image you want — you just need to specify additional variables in the "container_scanning" section of your .gitlab-ci.yml file. This set of variables also lets you configure registry credentials, custom CA certificates, whether to validate certificates, etc.

Viewing vulnerability analysis results

Once your first Container Scanning job completes, you can see what vulnerabilities have been reported. Just go to the "Security & Compliance" left-side menu and select "Vulnerability Report".

GitLab Security and Compliance Menu Navigate to "Vulnerability report" under the "Security and Compliance" menu.

For example, here's what your vulnerability report could look like:

Sample vulnerability report See a sample Vulnerability Report

You'll notice that the Vulnerability Report page gives you an immediate sense of the severities of the vulnerabilities.Even if there is a large number of vulnerabilities, you can quickly filter the list and dive deeper into any single vulnerability.

Final thoughts

Adding Container Scanning with Grype to your GitLab pipeline is a straightforward process. With just a small snippet of YAML and some optional configuration, you can add tremendous visibility into the security of your team's container images.

Read on to learn more about the Container Scanning feature with GitLab.

Lastly, make sure to check out the Grype project. We have an active open source community and make improvements all the time. If you have any questions or feature requests, don't hesitate to open an issue or join our community Slack.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert