Vulnerability scanner
Vulnerability scanner is a service that enables you to:
- Statically analyze a Docker image for vulnerabilities in components, libraries, and dependencies used in the Docker image.
- Compare Docker image contents with the CVE vulnerability databases.
Vulnerability scanner only works with Docker images from Container Registry. Users can only scan Docker images they have permissions to.
For scanning, a Docker image is unpacked, and a search is performed for installed package versions (deb). The package versions identified are then checked against a database of known vulnerabilities.
Currently, Docker images are available and built for the following supported operating systems:
| Operating system | Supported versions |
|---|---|
| AlmaLinux | 8, 9, 10 |
| Alpine Linux | 2.2–2.7, 3.0–3.22, edge |
| Amazon Linux | 1, 2, 2023 |
| Azure Linux (CBL-Mariner) | 1.0, 2.0, 3.0 |
| Bottlerocket | 1.7.0 and higher |
| CentOS | 6, 7, 8 |
| Chainguard | - |
| CoreOS | All versions (SBOM only) |
| Debian GNU, Linux | 7, 8, 9, 10, 11, 12 |
| Echo | - |
| MinimOS | - |
| openSUSE Leap | 15, 42 |
| openSUSE Tumbleweed | - |
| Oracle Linux | 5, 6, 7, 8 |
| Photon OS | 1.0, 2.0, 3.0, 4.0, 5.0 |
| Red Hat Enterprise Linux | 6, 7, 8, 9, 10 (10 is for SBOM only) |
| Rocky Linux | 8, 9 |
| SUSE Linux Enterprise | 11, 12, 15 |
| SUSE Linux Enterprise Micro | 5, 6 |
| Ubuntu | All versions supported by Canonical |
| Wolfi Linux | - |
| OS with Conda installed | - |
Note
Scanning Docker images for vulnerabilities is charged.
Language package scanning
Note
Language package scanning is available upon request. Contact support or your account manager.
The vulnerability scanner automatically detects the following language package files and analyzes the Docker image dependencies:
| Supported programming language | Attachments |
|---|---|
| Ruby | gemspec |
| Python | egg package wheel package |
| PHP | composer.lock |
| Node.js | package.json |
| .NET | packages.lock.json packages.config .deps.json |
| Java | JAR/WAR/PAR/EAR 1 |
| Go | Binary files 2 |
| Rust | Cargo.lock Binary files created using cargo-auditable |
| Dart | pubspec.lock |
1 .jar, .war, .par, .ear.
2 Binary files compressed using UPX do not work.
Types of scanning
You can scan Docker images pushed to a registry for vulnerabilities:
- Manually: A scan is run by the user.
- On push: Docker images are scanned automatically on push.
- On schedule: Docker images are scanned automatically according to a user-defined schedule.
Storing scan results
For each Docker image, the system stores three most recent successful scans completed within the last 30 days. If a Docker image goes unscanned for 30 days, only the last scan is kept.