Vimp
Aggregate vulnerability scans from multiple container image scanners to identify discrepancies and get comprehensive exposure analysis.
Install / Use
/learn @mchmarny/VimpREADME
vimp
Normalize vulnerability data from multiple container image scanners into a unified format for cross-scanner comparison and trend analysis.
Why vimp?
Different vulnerability scanners often report different findings for the same container image. vimp helps you:
- Compare results across scanners to identify gaps in coverage
- Track trends over time with persistent storage
- Integrate with CI/CD using
SARIFoutput for GitHub Code Scanning - Reduce noise by correlating findings across sources
Quick Start
# Install vimp
brew tap mchmarny/vimp && brew install vimp
# Scan an image (requires grype, trivy, or snyk installed)
vimp scan --image alpine:latest --yes
# Query results
vimp query --image docker.io/library/alpine
# Run server (view reports, CVEs over time)
vimp server --open
Documentation
- User Guide - Step-by-step workflow tutorial with runnable examples
- CLI Reference - Complete command documentation
Supported Scanners
| Scanner | Format Detection | CVSS Support |
|---------|------------------|--------------|
| Grype | descriptor.name == "grype" | Full |
| Trivy | SchemaVersion + Results | Full |
| Snyk | vulnerabilities + applications | Full |
| Clair | manifest_hash + vulnerabilities | None |
| OSV-Scanner | results[*].packages[*].ecosystem | Partial |
| Anchore Engine | imageDigest + vulnerabilities | Full |
Storage Backends
| Backend | URI Format | Query Support |
|------------|--------------------------------|---------------|
| SQLite | sqlite://path/to/db.db | Yes |
| PostgreSQL | postgres://host:port/db | Yes |
| BigQuery | bq://project.dataset.table | Import only |
| File | file://path/to/output.json | No |
| Console | console:// | No |
Default: sqlite://~/.vimp.db
Installation
Homebrew (macOS/Linux)
brew tap mchmarny/vimp
brew install vimp
Go
go install github.com/mchmarny/vimp@latest
Binary
Download from releases. All releases include:
- SHA256 checksums
- SPDX SBOMs
- Build provenance attestations
Linux Packages
Debian/Ubuntu:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
wget https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.deb
sudo dpkg -i vimp-${VERSION#v}_linux-amd64.deb
RHEL/CentOS:
VERSION=$(curl -s https://api.github.com/repos/mchmarny/vimp/releases/latest | jq -r .tag_name)
sudo rpm -ivh https://github.com/mchmarny/vimp/releases/download/${VERSION}/vimp-${VERSION#v}_linux-amd64.rpm
Contributing
Contributions are welcome! See the Development Guide for setup instructions, architecture overview, and coding guidelines.
License
Disclaimer
This is a personal project and does not represent my employer. While I do my best to ensure everything works, I take no responsibility for issues caused by this code.
