> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Scan containers using endorctl
> Learn how to scan container images using the endorctl container scan command for security vulnerabilities, dependencies, and compliance.
Container images contain multiple layers of software dependencies that introduce security risks across the entire software supply chain. The `endorctl container scan` command analyzes container images to identify vulnerabilities in base OS packages, runtime dependencies, and application libraries, providing comprehensive security visibility across all containerized workloads.
## Create finding policies for containers
Container base images from untrusted sources may lack proper security audits or fail to comply with organizational standards, increasing the risk of vulnerabilities being exploited. To address this, you can configure a finding policy to detect unauthorised base images and raise a critical finding.
For example, to allow only base images that start with `gcp` or `ghcr`, use the [Container policy template](/managing-policies/finding-policies/container-policies) and specify **Base Image Name Regex** as `^gcp`, `^ghcr`.
See [Create a finding policy from template](/managing-policies/finding-policies#create-a-finding-policy-from-template) for detailed instructions on creating finding policies.
## Perform the endorctl scan
Endor Labs supports the following methods of scanning container images:
* **[Scan container images in a Git repository](#scan-container-images-in-a-git-repository)**: Scan images built within your repository using a Dockerfile.
* **[Scan container images as a standalone project](#scan-container-images-as-a-standalone-project)**: Scan base or golden images that are shared across multiple repositories or applications.
* **[Scan container image tarball](#scan-container-image-tarball)**: Scan images saved as tar files, such as base images exported from Docker, to generate dependency, SBOM, and vulnerability reports.
* **[Scan images from a container registry](/scan/containers/container-registry-scan)**: List and scan images directly from a registry such as AWS ECR, Azure ACR, Docker Hub, GHCR, or JFrog Artifactory.
### Scan container images in a Git repository
Run the following command to scan a container image built in a specific repository. Specify the project path using the `--path` argument and the container image name using the `--image` argument. This associates the container with the Git repository and branch of the project.
```bash theme={null}
endorctl container scan --image= --path=users/janedoe/endorlabs/npm/exampleproject
```
You can also scan multiple container images as part of a single repository.
```bash theme={null}
endorctl container scan --image= --path=users/janedoe/endorlabs/npm/exampleproject
endorctl container scan --image= --path=users/janedoe/endorlabs/npm/exampleproject
endorctl container scan --image= --path=users/janedoe/endorlabs/npm/exampleproject
```
You can tag findings with the corresponding container image name and tag. This lets you filter container-related findings in the user interface or through the API.
```bash theme={null}
endorctl container scan --image= --path=users/janedoe/endorlabs/npm/exampleproject --finding-tags=
```
### Scan container images as a standalone project
Run the following command to scan a container image from a registry. Specify the project name using the `--project-name` argument, and the container image name and tag using the `--image` argument.
```bash theme={null}
endorctl container scan --image= --project-name=
```
To keep multiple versions of a container image in a container-only project, include the `--as-ref` flag.
```bash theme={null}
endorctl container scan --image= --project-name= --as-ref
```
You can tag findings with the corresponding container image name and tag. This lets you filter container-related findings in the user interface or through the API.
```bash theme={null}
endorctl container scan --project-name= --image= --as-ref --finding-tags=
```
**Important**
To associate a container scan with an existing SCA scan for a project, you must use the `--path` argument specifying the same project path used for the SCA scan. You cannot associate a container scan with an SCA scan for a project using the `--project-name` parameter.
### Scan container image tarball
You can save a container image as a tarball and scan it with endorctl to generate a report containing dependencies, SBOM details, and security findings.
1. Ensure that you have the container image available locally.
```bash theme={null}
docker pull alpine:latest
```
2. Export the image to a tarball file.
```bash theme={null}
docker save alpine:latest -o alpine-latest.tar
```
3. Perform the endorctl scan.
```bash theme={null}
endorctl container scan --image=alpine:latest --project-name= --image-tar=/absolute/path/to/alpine-latest.tar
```
* `--image-tar` must point to the absolute path of the tarball file.
* `--image=` is optional but recommended. It explicitly identifies the container image inside the tarball.
## Perform container scan in CI pipelines
You can integrate container scanning into CI pipelines to automatically detect vulnerabilities and ensure the security of container images during the build and deployment process.
To scan containers in CI pipelines using GitHub Actions, set the `scan_container` parameter to `true` in the GitHub Actions script. Additionally, you must provide the `image` parameter with the container image you want to scan.
See [Performing scans in CI/CD pipelines](/deployment/ci-scans) for more information.