Grype + Rummage = Grummage.
Grummage is an interactive terminal frontend to Grype.
Grype is an awesome vulnerability scanner. It produces minimal textual output, or verbose JSON files. I wanted something to rummage around in the json, without having to learn arcane jq syntax ;).
So Grummage was born.
Grummage is written in Python, and uses the Textual library for the UI.
Grummage requires the Grype binary in your path to function.
You may want to confirm the Grype command line works, and has updated the vulnerability database first.
grype --versiongrype 0.84.0
grype db update β Vulnerability DB [no update available]
No vulnerability database update available
I use uv to manage Python virtual environments. It's good. You might like it too.
git clone https://github.com/popey/grummage
cd grummage
uv venv
source ./venv/bin/activate
uv pip install textualPoint grummage at an SBOM (Software Bill of Materials).
./grummage ./example_sboms/nextcloud-latest-syft-sbom.jsonGrummage will load the SBOM and pass it through Grype to build the vulnerability list. Use the cursor keys or mouse to navigate the tree on the left pane. Press Enter or mouse click on a vulnerability to obtain limited details.
e- Request further details viagrype explainq- Quit
Sort by:
n- Name of packagev- Vulnerability IDt- Type of packages- Severity of issue
I use Syft to generate SBOMs, but other tools are available. For example:
syft nextcloud:latest -o syft-json=nextcloud-latest-syft-sbom.json β Loaded image nextcloud:latest
β Parsed image sha256:44c884988b43e01e1434a66f58943dc809a193abf1a6df0f2cebad450e587ad7
β Cataloged contents bdca3ed5b303726bba5579564ab8fe5df700d637ae04f00689443260b26cc832
βββ β Packages [418 packages]
βββ β File digests [10,605 files]
βββ β File metadata [10,605 locations]
βββ β Executables [1,317 executables]
I am an open-source enthusiast and self-taught coder creating projects driven by curiosity and a love for problem-solving. The code may have bugs or sharp edges. Kindly let me know if you find one, via an issue. Thanks.
