README
¶
vimp
Normalize vulnerability data from multiple container image scanners into a unified format for cross-scanner comparison and trend analysis.
Why vimp?
Different vulnerability scanners often report different findings for the same container image. vimp helps you:
- Compare results across scanners to identify gaps in coverage
- Track trends over time with persistent storage
- Integrate with CI/CD using
SARIFoutput for GitHub Code Scanning - Reduce noise by correlating findings across sources
Quick Start
# Install vimp
brew tap mchmarny/vimp && brew install vimp
# Scan an image (requires grype, trivy, or snyk installed)
vimp scan --image alpine:latest --yes
# Query results
vimp query --image docker.io/library/alpine
# Run server (view reports, CVEs over time)
vimp server --open
Documentation
- User Guide - Step-by-step workflow tutorial with runnable examples
- CLI Reference - Complete command documentation
Supported Scanners
| Scanner | Format Detection | CVSS Support |
|---|---|---|
| Grype | descriptor.name == "grype" |
Full |
| Trivy | SchemaVersion + Results |
Full |
| Snyk | vulnerabilities + applications |
Full |
| Clair | manifest_hash + vulnerabilities |
None |
| OSV-Scanner | results[*].packages[*].ecosystem |
Partial |
| Anchore Engine | imageDigest + vulnerabilities |
Full |
Storage Backends
| Backend | URI Format | Query Support |
|---|---|---|
| SQLite | sqlite://path/to/db.db |
Yes |
| PostgreSQL | postgres://host:port/db |
Yes |
| BigQuery | bq://project.dataset.table |
Import only |
| File | file://path/to/output.json |
No |
| Console | console:// |
No |
Default: sqlite://~/.vimp.db
Installation
Homebrew (macOS/Linux)
brew tap mchmarny/vimp
brew install vimp
Go
go install github.com/mchmarny/vimp@latest
Binary
Download from releases. All releases include:
- SHA256 checksums
- SPDX SBOMs
- Build provenance attestations
Linux Packages
Debian/Ubuntu:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
wget https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.deb
sudo dpkg -i vimp-${VERSION#v}_linux-amd64.deb
RHEL/CentOS:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
sudo rpm -ivh https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.rpm
Contributing
Contributions are welcome! See the Development Guide for setup instructions, architecture overview, and coding guidelines.
License
Disclaimer
This is a personal project and does not represent my employer. While I do my best to ensure everything works, I take no responsibility for issues caused by this code.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
cmd
Package cmd provides CLI commands for vimp.
|
Package cmd provides CLI commands for vimp. |
|
config
Package config provides configuration utilities for vimp.
|
Package config provides configuration utilities for vimp. |
|
converter
Package converter provides pluggable parsers for vulnerability scanner output.
|
Package converter provides pluggable parsers for vulnerability scanner output. |
|
parser
Package parser provides JSON parsing utilities for scanner output.
|
Package parser provides JSON parsing utilities for scanner output. |
|
processor
Package processor orchestrates the import and query workflows.
|
Package processor orchestrates the import and query workflows. |
|
scanner
Package scanner provides pluggable vulnerability scanner execution.
|
Package scanner provides pluggable vulnerability scanner execution. |
|
server
Package server provides an HTTP server for the vulnerability dashboard.
|
Package server provides an HTTP server for the vulnerability dashboard. |
|
target
Package target provides storage backends for vulnerability data.
|
Package target provides storage backends for vulnerability data. |
|
pkg
|
|
|
data
Package data provides core data structures for vulnerability representation.
|
Package data provides core data structures for vulnerability representation. |
|
query
Package query provides types and utilities for querying vulnerability data.
|
Package query provides types and utilities for querying vulnerability data. |
|
sarif
Package sarif provides SARIF 2.1.0 output format for vulnerability reports.
|
Package sarif provides SARIF 2.1.0 output format for vulnerability reports. |
Click to show internal directories.
Click to hide internal directories.