Getting Started

License Scanning Getting Started

Introduction

Grant searches SBOMs for licenses and the packages they belong to.

Install the latest Grant release

Grant is provided as a single compiled executable. Issue the command for your platform to download the latest release of Grant. The full list of official and community maintained packages can be found on the installation page.

Note

Grant is not currently available for Windows

curl -sSfL <a href="https://get.anchore.io/grant">https://get.anchore.io/grant</a> | sudo sh -s &ndash; -b /usr/local/bin

brew install grant

Scan a container for all the licenses used

grant alpine:latest

Grant will produce a list of licenses.

* alpine:latest
  * license matches for rule: default-deny-all; matched with pattern *
    * Apache-2.0
    * BSD-2-Clause
    * GPL-2.0-only
    * GPL-2.0-or-later
    * MIT
    * MPL-2.0
    * Zlib

Scan a container for OSI compliant licenses

Now we scan a different container, that contains some software that is distributed under non-OSI-compliant licenses.

Note

The image used here is quite large (over 3GB) so may take a while to download and analyze

grant check pytorch/pytorch:latest --osi-approved

Read more in our License Auditing User Guide.

Next steps

Try running Syft against other containers, or an application directory on your workstation.
Find out more about Supported Sources and Output Formats.
Learn about Vulnerability Scanning and License Scanning your SBOMs.

Last modified October 10, 2025: fix reference links (1594d93)