This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Scan containers (Beta)

Learn how to scan your containers with Endor Labs.

Containers help developers create, test, and deploy applications in a consistent environment. Container images include standalone or executable files encompassing files, libraries, and dependencies needed to run a container. They include many open-source software, making them vulnerable to open-source risks.

Gaining visibility into container images is essential to identify and prioritize risks or maintain compliance obligations.

Endor Labs container scan detects and reports known vulnerabilities and other risks in:

  • Operating system packages: Identifies packages installed through the container’s base operating system package manager.
  • Programming language packages: Identifies packages installed through language-specific package managers.
  • Libraries and dependencies: Identifies static and dynamic libraries, and runtime dependencies required by the application.

Additionally, it generates an SBOM (Software Bill of Materials) that details all components, their versions, and associated metadata, providing a complete inventory of the container’s contents.

To successfully scan containers:

Verify access to container registries

If the container image is in a private Docker registry, you must authenticate the container client before the scan.

Here are a few commands to authenticate the container client.

docker login <host> -u <user_name> -p <password>

For more information, see [Docker documentation](https://docs.docker.com/reference/cli/docker/login/).

podman login -u myusername -p mypassword myregistry.example.com

For more information, see [Scanning podman built container images](../../troubleshooting/podman/) and [Podman documentation](https://docs.podman.io/en/v4.4/markdown/podman-login.1.html).

You must configure the containerd config file to authenticate with the container registry. For more information, see the [containerd documentation](https://github.com/containerd/containerd/blob/main/docs/cri/registry.md).

Perform the endorctl scan

Use the following options to scan containers using endorctl CLI.

  1. To scan a container image from the registry, run the following command specifying the project’s name in the –project-name argument, and the container image name and tag in the –container argument.
endorctl scan  --project-name=<endor_project_name>  --container=<image_name:tag>
  1. To scan a container image in a particular path, run the following command specifying the project’s path in the –path argument and the container image name in the –container argument. This will associate the container with the Git repository and branch of the project.
endorctl scan  --path=users/janedoe/endorlabs/npm/exampleproject --container=<image_name:tag>
  1. To keep multiple versions of a container image in a project, use –container-as-ref
endorctl scan  --path=users/janedoe/enodorlabs/npm/exampleproject --container=<image_name:tag>  --container-as-ref

Perform container scan in CI pipelines

You can integrate container scanning into CI pipelines to automatically detect vulnerabilities and ensure the security of container images during the build and deployment process.

To perform container scanning in CI pipelines using GitHub Actions include the following command in the GitHub Actions script. You must also set the scan_container parameter to true.

endorctl scan  --project-name=<endor_project_name>  --container=<image_name:tag>

or

endorctl scan  --path=users/janedoe/endorlabs/npm/exampleproject --container=<image_name:tag>

See Performing scans in CI/CD pipelines for more information.

Understand container scan

Endor Labs fetches the container image from a container registry or loads it from a local file to scan containers. It then proceeds to extract the layers of the container image. It traverses the filesystem of each layer to identify files and directories. It looks for known package manager and metadata files to gather information about installed packages and their versions. It identifies various components and dependencies within the image and presents the findings in CLI and the Endor Labs user interface.

Discover base images of containers

A container image is often built upon a base image that is a foundational layer including an operating system and other essential components. It’s crucial to understand what’s in the base image for a thorough security assessment.

You can distinguish the base image related vulnerabilities from the application layer using any of the following methods:

  • Scan Sequence - First, scan the base image. Then, scan any subsequent images built on that base image to distinguish vulnerabilities specific to the base image from those introduced by the other layers.
  • Docker file label - Set the label directly in your Dockerfile with a command such as LABEL org.opencontainers.image.base.name="openjdk:17-slim".
  • Build time label - Include the base image label during the build process with the --label flag, specifying both the base image and, optionally, its exact version via SHA256 hash. For example:
   docker build -t tictactoe:latest --label "org.opencontainers.image.base.name=openjdk@sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78" .

base image

Create finding policies for containers

Container base images from untrusted sources may lack proper security audits or fail to comply with organizational standards, increasing the risk of vulnerabilities being exploited. To address this, you can configure a finding policy to detect unauthorised base images and raise a critical finding.

For example, to allow only base images that start with gcp or ghcr, use the Container policy template and Specify Base Image Name Regex as ^gcp, ^ghcr.

See also Create a finding policy from template.

finding policy template

Supported languages and package managers

The dependencies associated with the following list of components are identified in the endorctl scan:

OS/Language Package Manager/Packaging
Alpine apk
Debian dpkg
Ubuntu dpkg
RedHat RPM
Fedora RPM
Amazon Linux RPM
Oracle Linux RPM
.NET deps.json
Objective-C CocoaPods
Go go.mod, Go binaries
Java jar, ear, war, native-image, pom.xml
JavaScript npm, Yarn
PHP Composer
Python wheel, egg, Poetry, requirements.txt
Ruby gem
Rust Cargo
Swift CocoaPods

View findings

To view findings from the scan,

  1. Sign into the Endor Labs user interface.
  2. Navigate to Projects from the left sidebar.
  3. Locate your project to view its findings.

container overview 4. To view and filter dependencies based on the container images, click Container Layers and select to view All Layers, Base Image Layers, or Application Layers only.

Filter container findings

Limitations

  • Scanning Windows containers is not supported.
  • Docker file scans are not currently supported.
  • Container registry direct integrations are not currently supported.
  • Scanning binary files inside a container is not currently supported.
  • Scanning container images packaged in the tarball format is not currently supported.
  • Endor scores are not calculated for findings reported in the container scan.