Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Container Registry
  • Getting started
    • All guides
    • Installing and configuring Docker
    • Authentication in Container Registry
    • Scanning Docker images for vulnerabilities
    • Creating a trigger for a registry
  • Yandex Container Solution
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Troubleshooting
  • FAQ

In this article:

  • Manually
  • On push
  • On schedule
  1. Step-by-step guides
  2. Scanning Docker images for vulnerabilities

Scanning Docker images for vulnerabilities

Written by
Yandex Cloud
Updated at May 5, 2025
  • Manually
  • On push
  • On schedule

You can scan Docker images pushed to a registry for vulnerabilities. You can do this:

  • Manually.
  • On push.
  • On schedule.

Warning

  • The vulnerability database is constantly updated with sources containing information on vulnerabilities.
  • For some vulnerabilities, there is no information regarding which package versions they will be fixed in. This is because such information is unavailable from current sources.
  • The number of Docker image scans you can run per cloud is limited.
  • Scanning Docker images for vulnerabilities is charged.

ManuallyManually

Management console
CLI
API
  1. In the management console, select the parent folder for the registry containing the Docker image.
  2. Select Container Registry.
  3. Select the registry containing the Docker image or create a new one and push an image to it.
  4. Open the repository with the Docker image.
  5. Click next to the Docker image and select Scan.
  6. Wait for the scan to complete. During the scan, the Docker image scan status will be Scanning and, once completed, it will change to Ready.
  7. Review the scan results. To do this, in the row of the relevant Docker image, click the value in the Date of last scan column.

To view Docker image scans, select the relevant image and go to the Scan history tab.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Get a list of the Docker images in a registry:

    yc container image list --repository-name=<registry_ID>/<Docker_image_name>
    

    Result:

    +----------------------+---------------------+-----------------------------+---------+-----------------+
    |          ID          |       CREATED       |            NAME             |  TAGS   | COMPRESSED SIZE |
    +----------------------+---------------------+-----------------------------+---------+-----------------+
    | crpqmsqp5mtb******** | 2021-02-09 08:57:14 | crpp7p7dovf4********/ubuntu | example | 27.2 MB         |
    +----------------------+---------------------+-----------------------------+---------+-----------------+
    
  2. Start a Docker image scan:

    yc container image scan <Docker_image_ID>
    

    Result:

    done (24s)
    id: che1el9t4t95********
    image_id: crpqmsqp5mtb********
    ...
      medium: "6"
      low: "13"
      negligible: "3"
    
  3. Get detailed information on the scan results:

    yc container image list-vulnerabilities --scan-result-id=<scan_result_ID>
    

    Result:

    +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
    |  SEVERITY  |      NAME      | PACKAGE |     VERSION     | FIXED BY |                             LINK                              |
    +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
    ...
    | NEGLIGIBLE | CVE-2016-10228 | glibc   | 2.31-0ubuntu9.1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 |
    | NEGLIGIBLE | CVE-2017-11164 | pcre3   | 2:8.39-12build1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164 |
    | NEGLIGIBLE | CVE-2020-14155 | pcre3   | 2:8.39-12build1 |          | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155 |
    +------------+----------------+---------+-----------------+----------+---------------------------------------------------------------+
    

    To view scans by Docker image, run the command:

    yc container image list-scan-results --repository-name=<registry_ID>/<Docker_image_name>
    

    Result:

    +----------------------+----------------------+---------------------+--------+--------------------------------+
    |          ID          |        IMAGE         |     SCANNED AT      | STATUS |        VULNERABILITIES         |
    +----------------------+----------------------+---------------------+--------+--------------------------------+
    | che1el9t4t95******** | crpqmsqp5mtb******** | 2021-03-16 14:34:02 | READY  | medium:6, low:13, negligible:3 |
    +----------------------+----------------------+---------------------+--------+--------------------------------+
    

To scan a Docker image, use the scan REST API method for the Scanner resource or the ScannerService/Scan gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilities gRPC API call.

On pushOn push

Management console
API
  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select Container Registry.
  3. Choose a registry or create a new one.
  4. Go to the Vulnerability scanner tab.
  5. Click Edit settings.
  6. Under Scan Docker images when uploading, select Scan and one of the scanning options:
    • All repositories to scan all registry repositories.
    • Selected to scan only selected repositories:
      1. Click Select repositories.
      2. Select the appropriate repositories from the list.
      3. Click Save.
  7. Click Save.

To automatically scan Docker images on push to a registry, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.

On scheduleOn schedule

Management console
API
  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select Container Registry.
  3. Choose a registry or create a new one.
  4. Go to the Vulnerability scanner tab.
  5. Click Edit settings.
  6. Under Scheduled Docker image scans, click Add scan rule.
  7. Select Scan and one of the scanning options:
    • All repositories to scan all registry repositories.
    • Selected to scan only selected repositories:
      1. Click Select repositories.
      2. Select the appropriate repositories from the list.
      3. Click Save.
  8. Specify the frequency of Docker image scans.
  9. Click Save.

To run scheduled Docker image scans, use the create REST API method for the ScanPolicy resource or the ScanPolicyService/Create gRPC API call.

To get the scanResultId scan result ID, use the getLast REST API method for the Scanner resource or the ScannerService/GetLast gRPC API call.

To get detailed information about the scan results, use the listVulnerabilities REST API method for the Scanner resource or the ScannerService/ListVulnerabilitiesListVulnerabilities gRPC API call.

Was the article helpful?

Previous
Deleting a lifecycle policy
Next
Creating a trigger for a registry
Yandex project
© 2025 Yandex.Cloud LLC