Normalize vulnerability data from multiple container image scanners into a unified format for cross-scanner comparison and trend analysis.
Different vulnerability scanners often report different findings for the same container image. vimp helps you:
- Compare results across scanners to identify gaps in coverage
- Track trends over time with persistent storage
- Integrate with CI/CD using
SARIFoutput for GitHub Code Scanning - Reduce noise by correlating findings across sources
# Install vimp
brew tap mchmarny/vimp && brew install vimp
# Scan an image (requires grype, trivy, or snyk installed)
vimp scan --image alpine:latest --yes
# Query results
vimp query --image docker.io/library/alpine
# Run server (view reports, CVEs over time)
vimp server --open
- User Guide - Step-by-step workflow tutorial with runnable examples
- CLI Reference - Complete command documentation
| Scanner | Format Detection | CVSS Support |
|---|---|---|
| Grype | descriptor.name == "grype" |
Full |
| Trivy | SchemaVersion + Results |
Full |
| Snyk | vulnerabilities + applications |
Full |
| Clair | manifest_hash + vulnerabilities |
None |
| OSV-Scanner | results[*].packages[*].ecosystem |
Partial |
| Anchore Engine | imageDigest + vulnerabilities |
Full |
| Backend | URI Format | Query Support |
|---|---|---|
| SQLite | sqlite://path/to/db.db |
Yes |
| PostgreSQL | postgres://host:port/db |
Yes |
| BigQuery | bq://project.dataset.table |
Import only |
| File | file://path/to/output.json |
No |
| Console | console:// |
No |
Default: sqlite://~/.vimp.db
brew tap mchmarny/vimp
brew install vimpgo install github.com/mchmarny/vimp@latestDownload from releases. All releases include:
- SHA256 checksums
- SPDX SBOMs
- Build provenance attestations
Debian/Ubuntu:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
wget https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.deb
sudo dpkg -i vimp-${VERSION#v}_linux-amd64.debRHEL/CentOS:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
sudo rpm -ivh https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.rpmContributions are welcome! See the Development Guide for setup instructions, architecture overview, and coding guidelines.
This is a personal project and does not represent my employer. While I do my best to ensure everything works, I take no responsibility for issues caused by this code.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
