Grype Vulnerability Scanner Collector
Scans repository dependencies for known CVEs using Grype, Anchore's open-source vulnerability scanner. Writes normalized findings to .sca for use with the SCA policy. No secrets or vendor accounts required.
grype to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/grype@v1.0.5
What This Integration Collects
This integration includes 3 collectors that gather metadata from your systems.
auto
Auto-scans the repository filesystem for dependency vulnerabilities using Grype. Writes normalized findings to .sca with severity counts, CVE IDs, affected packages, and fix versions.
rescan
Re-runs the dependency (SCA) scan on a schedule and overwrites .sca so
the SCA policy re-evaluates against CVEs published since the commit was
first scanned — closing the gap where a branch passes at scan time but a
dependency picks up a new CVE later. Runs the same scan as the auto
collector (the sibling auto.sh) in the Grype collector image, and stamps
.sca.source.integration="cron" (vs "code" for the on-push scan) so it's
clear the data came from a scheduled re-scan.
cicd
Detects Grype executions in CI pipelines. Captures the command, version, and input arguments for audit and compliance tracking.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"sca": {
"source": {
"tool": "grype",
"version": "0.74.0",
"integration": "code"
},
"vulnerabilities": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 3,
"total": 10
},
"findings": [
{
"severity": "high",
"package": "golang.org/x/net",
"version": "0.7.0",
"ecosystem": "go-module",
"cve": "CVE-2023-44487",
"title": "HTTP/2 Rapid Reset Attack",
"fix_version": "0.17.0",
"fixable": true
}
],
"summary": {
"has_critical": false,
"has_high": true,
"all_fixable": true
},
"native": {
"grype": {
"cicd": {
"cmds": [
{"cmd": "grype dir:. -o json", "version": "0.74.0"}
]
},
"matches": [
{
"vulnerability": {
"id": "CVE-2023-44487",
"severity": "High",
"fix": {"versions": ["0.17.0"], "state": "fixed"},
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
"cvss": [{"metrics": {"baseScore": 7.5}}]
},
"artifact": {
"name": "golang.org/x/net",
"version": "0.7.0",
"type": "go-module",
"language": "go",
"purl": "pkg:golang/golang.org/x/net@0.7.0"
}
}
]
}
}
}
}Configuration
Configure this collector in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
db_auto_update
|
Optional |
false
|
EXPERIMENTAL. Download the latest Grype vulnerability database at scan time instead of using the one baked into the image. May cause OOM issues on some deployments if memory limits per collector container are not configured. |
Documentation
View on GitHubGrype Vulnerability Scanner Collector
Scans source code dependencies for known vulnerabilities using Grype.
Overview
This collector runs Grype — Anchore's open-source vulnerability scanner — against the repository to detect known CVEs in dependencies. It supports the ecosystems Grype covers (Go, Node.js, Python, Java, Rust, Ruby, PHP, .NET, and more) and writes normalized vulnerability data to .sca in the Component JSON, making results immediately consumable by the existing SCA policy. No secrets or vendor accounts are required. By default, Grype's vulnerability database is pre-baked into the collector image at build time, so CVE data is as current as the most recent image build; an experimental db_auto_update input can instead fetch the latest database at scan time.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.sca.source |
object | Source metadata (tool name, version, integration method) |
.sca.vulnerabilities |
object | Severity counts (critical, high, medium, low, total) |
.sca.findings[] |
array | Individual vulnerability findings with CVE, package, fix info |
.sca.summary |
object | Summary booleans (has_critical, has_high, all_fixable) |
.sca.native.grype |
object | Raw Grype match output and CI command detection data |
Collectors
This integration provides the following collectors (use include to select a subset):
| Collector | Hook Type | Description |
|---|---|---|
auto |
code | Auto-scans the repository filesystem for dependency vulnerabilities |
cicd |
ci-after-command | Detects Grype executions in CI and captures command metadata |
rescan |
cron | Re-runs the auto scan on a schedule (daily by default) and overwrites .sca so the SCA policy re-evaluates against newly-published CVEs |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/grype@main
on: ["domain:your-domain"]
Zero configuration required. Works with any language Grype supports.
By default this also enables the rescan cron sub-collector, which re-runs the
scan daily on each component's default branch and overwrites .sca. To keep the
on-push (auto) and CI-detection (cicd) scans but turn the scheduled re-scan
off, exclude it:
collectors:
- uses: github://earthly/lunar-lib/collectors/grype@main
on: ["domain:your-domain"]
exclude: [rescan]
Note: The
grypecollector writes to the same.scapaths as thesnykandtrivycollectors. Use one SCA scanner per component, not several, or they will overwrite each other's.scadata.
Re-scan freshness: With the default
db_auto_update: false, a re-scan is less likely to surface newly-published CVEs, since it uses the vulnerability DB baked into the collector image. Bumping the pinnedgrypecollector version (a newer image ships a newer DB) means the next cron tick picks up the new CVE data.
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from Grype Vulnerability Scanner Collector.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements