Introducing Container Image Scanning, a new feature in vet to identify vulnerabilities and malicious packages in container images.

Introducing Container Image Scanning

Introducing Container Image Scanning, a new feature in vet to identify vulnerabilities and malicious packages in container images.

Kunal Singh ·  · 2 min read

Container images are a popular way to package and deploy applications. These are the deployable artifacts in modern cloud native world. However, they often contain vulnerabilities and malicious packages. Conventional container image scanning tools focus on vulnerability (CVE) identification for container images. However, malicious or compromised packages do not have CVEs. To protect against the risk of vulnerabilities and malicious packages, deployable container images must be evaluated for security risks. vet now supports scanning container images using --image flag.

Scanning Local Images

Container images available in local docker server catalog can be scanned using the following command:

vet scan --image redis:latest

Scanning Remote Images

vet will pull the image data if the container image is not available in local docker server catalog.

vet scan --image redis:latest

Scanning Local Tarballs

Exported container images can be scanned using the following command:

vet scan --image /path/to/image.tar

This tarball can be created using docker save command. This is useful when you want to scan a container image that is not available in local docker server catalog.

docker save redis:latest -o image.tar

Malicious Package Scanning

Container scanning can be combined with malware detection using the --malware flag. It also supports various reporting formats including --report-cdx and --report-json for generating standardized output.

vet scan --image redis:latest --malware 

vet scan --image redis:latest --report-cdx=report.cdx.json

Policy Driven Container Scanning

vet is designed as policy first. It uses a Common Expression Language based policy engine to allow flexible policies. For example, to prevent containers with malware or critical vulnerabilities from getting deployed, you can run vet with the following policy:

vet scan --image redis:latest --malware --filter 'vulns.critical.exists(p, true)' --filter-fail

Note: vet will always fail when a malicious package is detected.

Other scanning options

For more details on how to use vet with container scanning, please refer to the documentation.

Demo

Bugs and Feedback

Found a bug or have suggestions? We’d love to hear from you! Please open an issue in our vet GitHub repository. For discussions about vet and other SafeDep tools, join our friendly developer community on Discord. We’re always excited to connect with fellow developers and hear your thoughts!

Share:
Back to Blog

Related Posts

View All Posts »
Introducing Package Manager Guard (PMG)

Introducing Package Manager Guard (PMG)

Introducing Package Manager Guard (PMG), a new tool to protect developers from malicious packages at the time of installation. Seamless integration with popular package managers like npm, pnpm etc.

Dynamic Malware Analysis of Open Source Packages at Scale

Dynamic Malware Analysis of Open Source Packages at Scale

Exploring the idea of building a complementary system that can verify and correlate static analysis findings. Thats where dynamic analysis comes in ie. the ability to "run" an open source package in an observed environment and determine its safety status based on real behavior at runtime