Vulnerability scanner
Written by
Updated at August 22, 2024
Vulnerability scanner is a service that enables you to:
- Statically analyze a Docker image for vulnerabilities in components, libraries, and dependencies used in the Docker image.
- Compare Docker image contents with the CVE
vulnerability databases.
Vulnerability scanner only works with Docker images from Container Registry. Users can only scan Docker images they have permissions to.
For scanning, a Docker image is unpacked, and a search is performed for installed package versions (deb). The package versions identified are then checked against a database of known vulnerabilities.
Currently, Docker images are available and built for the following supported operating systems:
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.19, 3.20
- Amazon 2 (Karoo)
- CentOS 5, 6, 7, 8
- Debian 7, 8, 9, 10, 11
- Redhat 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.8, 9.0, 9.1
- Ubuntu 14.04, 16.04, 18.04, 20.04, 20.10, 21.04, 21.10, 22.04, 24.06
Note
Scanning Docker images for vulnerabilities is charged.
Types of scanning
You can scan Docker images pushed to a registry for vulnerabilities:
- Manually: A scan is run by the user.
- On push: Docker images are scanned automatically on push.
- On schedule: Docker images are scanned automatically according to a user-defined schedule.
Vulnerability scanner use cases
- Scanning vulnerabilities during continuous deployment of Managed Service for Kubernetes applications using GitLab
- Storing Docker images created in Yandex Managed Service for GitLab projects
See also
How to find vulnerabilities without breaking the CI/CD pipeline.