Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

ImportantContainer scanning now has its own dedicated command: endorctl container scan.The endorctl scan --container commands are deprecated and will be removed after a three-month deprecation period.Migrate to the endorctl container scan command to ensure continued compatibility. For more details, see Container scan commands migration guide.
Containers help developers create, test, and deploy applications in a consistent environment. Container images include standalone or executable files encompassing files, libraries, and dependencies needed to run a container. They include several open-source software, making them vulnerable to open-source risks. Gaining visibility into container images is essential to identify and prioritize risks or maintain compliance obligations. Endor Labs container scan detects and reports known vulnerabilities and other risks in:
  • Operating system packages: Packages installed through the container’s base OS package manager.
  • Programming language packages: packages installed through language-specific package managers.
  • Libraries and dependencies: Static and dynamic libraries and runtime dependencies required by the application.
Additionally, it generates an Software Bill of Materials (SBOM) that details all components, their versions, and associated metadata, providing a complete inventory of the container’s contents.
Upgrade to endorctl version 1.6.734 or higher to ensure accurate container scan results.

How Endor Labs derives container findings

Endor Labs’ container scanning results rely on OVAL feeds from distributions. OVAL feeds provide accurate and vetted vulnerability data, while excluding disputed or irrelevant entries. OS dependency results are based on data from distribution developers. For language package dependencies, we complement published data with our proprietary research. Endor Labs fetches the container image from a container registry or loads it from a local file to scan containers. It then proceeds to extract the layers of the container image. It traverses the filesystem of each layer to identify files and directories. It looks for known package manager and metadata files to gather information about installed packages and their versions. It identifies the components and dependencies within the image and presents the findings in CLI and the Endor Labs user interface. Endor Labs categorizes the severity of vulnerabilities detected in container scans as follows:
  • Use the severity assigned by the distribution, if it exists.
  • Use the NVD severity if the distribution does not provide the severity.
  • Report the vulnerability as Medium if there is no severity assigned by the distribution, or the NVD severity is not known or can’t be matched.
Endor Labs doesn’t report disputed vulnerabilities withdrawn from NVD.

Discover base images of containers

A container image is often built upon a base image that is a foundational layer including an operating system and other essential components. It’s crucial to understand what’s in the base image for a thorough security assessment. You can distinguish the base image related vulnerabilities from the application layer using any of the following methods:
  • Scan Sequence: First, scan the base image. Then, scan any subsequent images built on that base image to distinguish vulnerabilities specific to the base image from those introduced by the other layers.
  • Docker file label: Set the label directly in your Dockerfile with a command, for example, LABEL org.opencontainers.image.base.name="openjdk:17-slim".
  • Build time label: Include the base image label during the build process with the --label flag, specifying both the base image and, optionally, its exact version via SHA256 hash. For example: 
    docker build -t tictactoe:latest --label "org.opencontainers.image.base.name=openjdk@sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78" .
Base image

Verify access to container registries

If the container image is in a private Docker registry, you must authenticate the container client before the scan. Here are a few commands to authenticate the container client. 
docker login <host> -u <user_name> -p <password>
Learn more about Docker authentication
podman login -u <user_name> -p <password> <host>
Learn more about Podman authenticationEndor Labs Podman troubleshooting
You must configure the containerd config file to authenticate with the container registry.Learn more about containerd authentication

Supported languages and package managers

The dependencies associated with the following list of components are identified in the endorctl scan. Endor Labs recognizes only the installed dependencies. Declared but uninstalled dependencies in the container image are not recognized.

Limitations of container findings

  • Scanning Windows containers is not supported.
  • Docker file scans are not currently supported.
  • Container registry direct integrations are not currently supported.
  • Support for scanning binary files inside a container is limited.
  • Endor scores are not calculated for findings reported in the container scan.