Container images contain multiple layers of software dependencies that introduce security risks across the entire software supply chain. TheDocumentation Index
Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
Use this file to discover all available pages before exploring further.
endorctl container scan command analyzes container images to identify vulnerabilities in base OS packages, runtime dependencies, and application libraries, providing comprehensive security visibility across all containerized workloads.
Create finding policies for containers
Container base images from untrusted sources may lack proper security audits or fail to comply with organizational standards, increasing the risk of vulnerabilities being exploited. To address this, you can configure a finding policy to detect unauthorised base images and raise a critical finding. For example, to allow only base images that start withgcp or ghcr, use the Container policy template and specify Base Image Name Regex as ^gcp, ^ghcr.
See Create a finding policy from template for detailed instructions on creating finding policies.
Perform the endorctl scan
Endor Labs supports the following methods of scanning container images:- Scan container images in a Git repository: Scan images built within your repository using a Dockerfile.
- Scan container images as a standalone project: Scan base or golden images that are shared across multiple repositories or applications.
- Scan container image tarball: Scan images saved as tar files, such as base images exported from Docker, to generate dependency, SBOM, and vulnerability reports.
- Scan images from a container registry: List and scan images directly from a registry such as AWS ECR, Azure ACR, Docker Hub, GHCR, or JFrog Artifactory.
Scan container images in a Git repository
Run the following command to scan a container image built in a specific repository. Specify the project path using the--path argument and the container image name using the --image argument. This associates the container with the Git repository and branch of the project.
Scan container images as a standalone project
Run the following command to scan a container image from a registry. Specify the project name using the--project-name argument, and the container image name and tag using the --image argument.
--as-ref flag.
ImportantTo associate a container scan with an existing SCA scan for a project, you must use the
--path argument specifying the same project path used for the SCA scan. You cannot associate a container scan with an SCA scan for a project using the --project-name parameter.Scan container image tarball
You can save a container image as a tarball and scan it with endorctl to generate a report containing dependencies, SBOM details, and security findings.-
Ensure that you have the container image available locally.
-
Export the image to a tarball file.
-
Perform the endorctl scan.
--image-tarmust point to the absolute path of the tarball file.--image=<name:tag>is optional but recommended. It explicitly identifies the container image inside the tarball.
Perform container scan in CI pipelines
You can integrate container scanning into CI pipelines to automatically detect vulnerabilities and ensure the security of container images during the build and deployment process. To scan containers in CI pipelines using GitHub Actions, set thescan_container parameter to true in the GitHub Actions script. Additionally, you must provide the image parameter with the container image you want to scan.
See Performing scans in CI/CD pipelines for more information.