diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix
new file mode 100644
index 000000000000..9786fd416630
--- /dev/null
+++ b/pkgs/tools/security/grype/default.nix
@@ -0,0 +1,35 @@
+{ buildGoModule
+, docker
+, fetchFromGitHub
+, stdenv
+}:
+
+buildGoModule rec {
+  pname = "grype";
+  version = "0.6.1";
+
+  src = fetchFromGitHub {
+    owner = "anchore";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0schq11vckvdj538mnkdzhxl452nrssqrfapab9qc44yxdi1wf8k";
+  };
+
+  vendorSha256 = "0lna7zhsj3wnw83nv0dp93aj869pplb51gqzrkka7vnqp0rjcw50";
+
+  propagatedBuildInputs = [ docker ];
+
+  # tests require a running Docker instance
+  doCheck = false;
+
+  meta = with stdenv.lib; {
+    description = "Vulnerability scanner for container images and filesystems";
+    longDescription = ''
+      As a vulnerability scanner is grype abale to scan the contents of a container
+      image or filesystem to find known vulnerabilities.
+    '';
+    homepage = "https://github.com/anchore/grype";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 1796f04f308d..0652196bd3df 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4570,6 +4570,8 @@ in
 
   gssdp = callPackage ../development/libraries/gssdp { };
 
+  grype = callPackage ../tools/security/grype { };
+
   gt5 = callPackage ../tools/system/gt5 { };
 
   gtest = callPackage ../development/libraries/gtest { };