
Introducing Container Image Scanning
Introducing Container Image Scanning, a new feature in vet to identify vulnerabilities and malicious packages in container images.
Container images are a popular way to package and deploy applications. These are the deployable artifacts in modern cloud native world. However, they often contain vulnerabilities and malicious packages. Conventional container image scanning tools focus on vulnerability (CVE) identification for container images. However, malicious or compromised packages do not have CVEs. To protect against the risk of vulnerabilities and malicious packages, deployable container images must be evaluated for security risks. vet now supports scanning container images using --image
flag.
Scanning Local Images
Container images available in local docker server catalog can be scanned using the following command:
vet scan --image redis:latest
Scanning Remote Images
vet
will pull the image data if the container image is not available in local docker server catalog.
vet scan --image redis:latest
Scanning Local Tarballs
Exported container images can be scanned using the following command:
vet scan --image /path/to/image.tar
This tarball
can be created using docker save
command. This is useful when you want to scan a container image that is not available in local docker server catalog.
docker save redis:latest -o image.tar
Malicious Package Scanning
Container scanning can be combined with malware detection using the --malware
flag. It also supports various reporting formats including --report-cdx
and --report-json
for generating standardized output.
vet scan --image redis:latest --malware
vet scan --image redis:latest --report-cdx=report.cdx.json
Policy Driven Container Scanning
vet
is designed as policy first. It uses a Common Expression Language based policy engine to allow flexible policies. For example, to prevent containers with malware or critical vulnerabilities from getting deployed, you can run vet
with the following policy:
vet scan --image redis:latest --malware --filter 'vulns.critical.exists(p, true)' --filter-fail
Note: vet
will always fail when a malicious package is detected.
Other scanning options
For more details on how to use vet
with container scanning, please refer to the documentation.
Demo
Bugs and Feedback
Found a bug or have suggestions? We’d love to hear from you! Please open an issue in our vet
GitHub repository. For discussions about vet
and other SafeDep tools, join our friendly developer community on Discord. We’re always excited to connect with fellow developers and hear your thoughts!