Grummage

Grype + Rummage = Grummage.

Grummage is an interactive terminal frontend to Grype.

Introduction

Grype is an awesome vulnerability scanner. It produces minimal textual output, or verbose JSON files. I wanted something to rummage around in the json, without having to learn arcane jq syntax ;).

So Grummage was born.

Installation

Grummage is written in Python and requires Python 3.8 or later.

Pre-requisites

Grummage requires the Grype binary in your path to function.

You may want to confirm the Grype command line works, and has updated the vulnerability database first.

grype --version

grype 0.84.0

grype db update

  ✔ Vulnerability DB                [no update available]
 No vulnerability database update available

From PyPI (Recommended)

The easiest way to install grummage is from PyPI:

pip install grummage

From GitHub Releases

Download the latest release from the GitHub releases page.

Using Homebrew (macOS/Linux)

brew tap popey/grummage
brew install grummage

Using Docker

Note: -it is required for interaction with the application. Setting the TERM variable allows for better colour support.

docker run --rm -it -e TERM=xterm-256color -v $(pwd):/data ghcr.io/popey/grummage:latest /data/your-sbom.json

Using Snap

sudo snap install grummage

From Source

For development or if you prefer to install from source:

git clone https://github.com/popey/grummage
cd grummage
pip install -e .

Using uv (Alternative)

If you use uv for Python environment management:

git clone https://github.com/popey/grummage
cd grummage
uv venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
uv pip install -e .

Usage

Point grummage at an SBOM (Software Bill of Materials):

grummage ./example_sboms/nextcloud-latest-syft-sbom.json

Grummage will load the SBOM and pass it through Grype to build the vulnerability list. Use the cursor keys or mouse to navigate the tree on the left pane. Press Enter or mouse click on a vulnerability to obtain limited details.

Keys:

• e - Request further details via grype explain
• q - Quit

Sort by:

• n - Name of package
• v - Vulnerability ID
• t - Type of package
• s - Severity of issue

Making SBOMs

I use Syft to generate SBOMs, but other tools are available. For example:

syft nextcloud:latest -o syft-json=nextcloud-latest-syft-sbom.json

 ✔ Loaded image       nextcloud:latest
 ✔ Parsed image       sha256:44c884988b43e01e1434a66f58943dc809a193abf1a6df0f2cebad450e587ad7
 ✔ Cataloged contents bdca3ed5b303726bba5579564ab8fe5df700d637ae04f00689443260b26cc832
   ├── ✔ Packages                        [418 packages]
   ├── ✔ File digests                    [10,605 files]
   ├── ✔ File metadata                   [10,605 locations]
   └── ✔ Executables                     [1,317 executables]

Distribution

Grummage is available through multiple distribution channels:

• PyPI: pip install grummage
• Homebrew: brew tap popey/grummage && brew install grummage
• Docker: ghcr.io/popey/grummage:latest
• Snap: sudo snap install grummage
• GitHub Releases: Pre-built packages available

Caveats

I am an open-source enthusiast and self-taught coder creating projects driven by curiosity and a love for problem-solving. The code may have bugs or sharp edges. Kindly let me know if you find one, via an issue. Thanks.