End-of-Life distro detection

Understand how Grype detects packages from end-of-life Linux distributions and why vulnerability data may be incomplete

TL;DR

Grype warns when packages come from end-of-life (EOL) distributions
EOL distros no longer receive security updates from the distribution maintainer, so vulnerability data may be incomplete
Warnings appear in console output and structured JSON alerts
Disable with alerts.enable-eol-distro-warnings: false in configuration

Linux distributions have defined support lifecycles. When a distribution reaches its end-of-life (EOL) date, the distribution maintainer stops publishing security updates, and the security feeds that Grype consumes no longer receive new vulnerability data for that version. Grype detects when packages come from EOL distributions and warns you that scan results may be incomplete.

Why EOL detection matters

When you scan an image running an EOL distribution:

No new vulnerability data - The distribution maintainer has stopped publishing security advisories for that version, so the security feeds Grype relies on no longer receive updates
Incomplete results - Grype can only report vulnerabilities that the distribution maintainer tracked before the EOL date
Hidden risks - New vulnerabilities affecting EOL packages won’t appear in scan results, because the upstream data source no longer covers them

For example, scanning Ubuntu 18.04 (EOL May 2023) won’t show vulnerabilities that the Ubuntu security team published after that date, even if those vulnerabilities affect packages in your image. This is because the Ubuntu security team no longer publishes advisories for 18.04, not because of a limitation in Grype.

Console warnings

When Grype detects packages from an EOL distribution, it prints a warning to stderr after the scan completes.

Example output

$ grype ubuntu:18.04
NAME                INSTALLED                 FIXED IN     TYPE  VULNERABILITY     SEVERITY    EPSS           RISK
libc-bin            2.27-3ubuntu1.6           (won't fix)  deb   CVE-2023-4911     High        73.0% (98th)   78.8   (kev)
libc6               2.27-3ubuntu1.6           (won't fix)  deb   CVE-2023-4911     High        73.0% (98th)   78.8   (kev)
libc-bin            2.27-3ubuntu1.6           (won't fix)  deb   CVE-2023-6246     Medium      24.3% (95th)   12.2
libc6               2.27-3ubuntu1.6           (won't fix)  deb   CVE-2023-6246     Medium      24.3% (95th)   12.2
perl-base           5.26.1-6ubuntu0.7         (won't fix)  deb   CVE-2022-48522    Low         17.3% (94th)   5.2
...

89 packages from EOL distro "ubuntu 18.04" - vulnerability data may be incomplete or outdated; consider upgrading to a supported version

Warning components

The warning includes:

Package count - Number of packages from the EOL distribution
Distribution name and version - The EOL distribution detected
Recommendation - Suggests upgrading to a supported version

JSON output

In JSON output (-o json), EOL alerts appear in the alertsByPackage array. Each entry identifies a package from an EOL distribution.

Alert format

{
  "alertsByPackage": [
    {
      "package": {
        "name": "tar",
        "version": "1.29b-2ubuntu0.4",
        "type": "deb",
        "purl": "pkg:deb/ubuntu/tar@1.29b-2ubuntu0.4?arch=arm64&distro=ubuntu-18.04"
      },
      "alerts": [
        {
          "type": "distro-eol",
          "message": "Package is from end-of-life distro: ubuntu 18.04",
          "metadata": {
            "name": "ubuntu",
            "version": "18.04"
          }
        }
      ]
    }
  ]
}

Querying EOL packages

Use jq to count packages from EOL distributions:

grype ubuntu:18.04 -o json | jq '[.alertsByPackage[] | select(.alerts[].type == "distro-eol")] | length'

This returns:

EOL tracking coverage

Grype tracks EOL dates for the following distributions: Alpine Linux, Amazon Linux, AlmaLinux, Debian, Oracle Linux, Red Hat Enterprise Linux, SUSE Linux Enterprise Server (SLES), and Ubuntu. EOL dates come from the endoflife.date project and are updated with each Grype database release.

Coverage limitations

Not all distributions that Grype supports for vulnerability matching have EOL tracking. Some distributions (like Wolfi and Chainguard) use a rolling release model without fixed EOL dates, so they don’t trigger EOL warnings.

Inspecting local database

You can inspect the EOL data in your local Grype database directly. Use grype db status to find the database path, then query the operating_systems table for eol_date values.

Configuration

EOL warnings are enabled by default. To disable them, add to your .grype.yaml:

alerts:
  enable-eol-distro-warnings: false

Or set the environment variable:

export GRYPE_ALERTS_ENABLE_EOL_DISTRO_WARNINGS=false

Note

Disabling EOL warnings hides information about incomplete scan coverage. Only disable this if you have a specific reason to ignore EOL status.

Best practices

When you see EOL warnings

When you see EOL warnings:

Prioritize upgrades - Plan migration to a supported distribution version
Understand limitations - Recognize that vulnerability counts may be artificially low
Check EOL dates - Use endoflife.date to verify support status
Monitor advisories - Subscribe to security advisories for your specific distribution

Temporary EOL distributions

For images that must remain on EOL distributions temporarily:

Apply available patches even without new vulnerability tracking
Implement additional security controls (network isolation, runtime protection)
Document the risk acceptance in your security processes

Next steps

Continue the guide

Next: Learn how to filter scan results to focus on actionable vulnerabilities.

Additional resources:

Interpret results: Learn how to understand scan output and assess match reliability
Package ecosystems: Understand data source selection for different package types
Configuration: See Grype configuration reference for all configuration options

Last modified February 25, 2026: npm(deps-dev): Bump markdownlint-cli2 from 0.20.0 to 0.21.0 (#138) (f234b2b)