Review Container and IaC Scan findings
After you complete a Veracode Container Security scan, your results appear in your command window. If you include the -o flag, the results appear in a new file. Scan results include the following categories of findings:
- Known vulnerabilities: vulnerabilities known in the Grype database.
- Configuration issues in infrastructure as code (IaC) files: misconfigurations in IaC files, such as Dockerfiles, Kubernetes manifests, and Terraform files.
- Exposed secrets: insecurely storing, using, and managing secrets, including credentials and cryptographic keys.
- Docker CIS Benchmark violations: violations of the guidelines defined in the CIS Docker Benchmarks.
- Insecure file permissions: insecure permissions using
setuidandsetgid.
To specify the output format of the scan results, such as JSON, CycloneDX, or a table, include the --format flag.
Policy evaluations
Veracode Container Security performs a basic policy evaluation against the findings. If the scan identifies any of the following findings, it returns "policy-passed": false.
- Known vulnerabilities, configuration issues in infrastructure as code (IaC) files, or exposed secrets with a very high or high severity.
- Any Docker CIS Benchmark violation.
- Any insecure file permissions.
If none of those findings are present, the scan returns "policy-passed": true.
If the scan was run without a policy, the scan returns "policy-passed": "not evaluated".
Container and IaC Security findings on Veracode Platform
You can access the results of container and IaC scans, performed from the CLI, on the Veracode Platform. The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low.
Additional features include:
- Search and filter
- Scan history for each asset to help you track changes in findings reported
- Mitigation guidance for each finding
The Container and IaC Analysis documentation page provides detailed information on using the Veracode Platform to analyse container and IaC scan results.
Users with Container and IaC analysis permissions can perform scan and review actions.
Vulnerability data sources
Veracode Container Security uses several data sources when reporting vulnerability findings, including:
- Alpine Linux SecDB
- Amazon Linux ALAS
- Debian Linux Bug Tracker
- Github GHSAs
- National Vulnerability Database (NVD)
- Oracle Linux OVAL
- Red Hat Linux Security Data
- RedHat RHSAs: Security Data
- SUSE Linux OVAL
- Ubuntu Linux Security
In some cases, the severity Veracode reports for a CVE differs from the severity from the NVD. When a more specific source, such as a base image vulnerability database, provides a severity for a CVE, that more specific source takes precedence.
The vulnerability and policy databases are updated every 24 hours.
Example JSON findings
This sample output is the result of a scan request in readable JSON format:
./veracode scan --type image --source alpine:latest --policy container-policy-v1.rego --format json --output alpine.json
{
"vulnerabilities": {
"descriptor": {
"db": {
"built": "2025-12-11T08:19:01Z",
"from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-10T15:02:03Z_1765441141.tar.zst?checksum=sha256%3A95bd5b5950ac069e4a0033a803c2682762650f73dbcb4a70c275edea9ba6b982",
"path": "/var/folders/y4/rvg41kfn5t5d7swxjmdvmj8r0000gn/T/veracode_cli_cache/6/vulnerability.db",
"schemaVersion": "v6.1.3",
"valid": true
},
"name": "",
"timestamp": "2025-12-12T14:37:46.565139+05:30",
"version": ""
},
"matches": [
{
"artifact": {
"cpes": [
"cpe:2.3:a:busybox:busybox:1.37.0-r18:*:*:*:*:*:*:*"
],
"id": "cfbeef858806724b",
"language": "",
"licenses": [
"GPL-2.0-only"
],
"locations": [
{
"accessPath": "/lib/apk/db/installed",
"annotations": {
"evidence": "primary"
},
"layerID": "sha256:1231a673589ac9e2f8a98ed916d1fa8301b36a44dd14fc40eba5a05905da69f1",
"path": "/lib/apk/db/installed"
}
],
"metadata": {
"files": [
{
"path": "/bin"
},
{
"path": "/bin/busybox"
},
{
"path": "/etc"
},
{
"path": "/etc/securetty"
},
{
"path": "/etc/busybox-paths.d"
},
{
"path": "/etc/busybox-paths.d/busybox"
},
{
"path": "/etc/logrotate.d"
},
{
"path": "/etc/logrotate.d/acpid"
},
{
"path": "/etc/network"
},
{
"path": "/etc/network/if-down.d"
},
{
"path": "/etc/network/if-post-down.d"
},
{
"path": "/etc/network/if-post-up.d"
},
{
"path": "/etc/network/if-pre-down.d"
},
{
"path": "/etc/network/if-pre-up.d"
},
{
"path": "/etc/network/if-up.d"
},
{
"path": "/etc/network/if-up.d/dad"
},
{
"path": "/etc/udhcpc"
},
{
"path": "/etc/udhcpc/udhcpc.conf"
},
{
"path": "/sbin"
},
{
"path": "/usr"
},
{
"path": "/usr/sbin"
},
{
"path": "/usr/share"
},
{
"path": "/usr/share/udhcpc"
},
{
"path": "/usr/share/udhcpc/default.script"
}
]
},
"metadataType": "ApkMetadata",
"name": "busybox",
"purl": "pkg:apk/alpine/[email protected]?arch=aarch64\u0026distro=alpine-3.22.0",
"type": "apk",
"upstreams": [
{
"name": "busybox"
}
],
"version": "1.37.0-r18"
},
"customerPolicyResult": {
"DataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251",
"ID": "CVE-2024-58251",
"Msg": "Found Low software vulnerability: CVE-2024-58251, baseScore: 2.5",
"Severity": "Low",
"Status": "failed"
},
"matchDetails": [
{
"fix": {
"suggestedVersion": "1.37.0-r20"
},
"found": {
"versionConstraint": "\u003c 1.37.0-r20 (apk)",
"vulnerabilityID": "CVE-2024-58251"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.22.0"
},
"namespace": "alpine:distro:alpine:3.22",
"package": {
"name": "busybox",
"version": "1.37.0-r18"
}
},
"type": "exact-direct-match"
},
{
"fix": {
"suggestedVersion": "1.37.0-r20"
},
"found": {
"versionConstraint": "\u003c 1.37.0-r20 (apk)",
"vulnerabilityID": "CVE-2024-58251"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.22.0"
},
"namespace": "alpine:distro:alpine:3.22",
"package": {
"name": "busybox",
"version": "1.37.0-r18"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 2.5,
"exploitabilityScore": 1.1,
"impactScore": 1.5
},
"source": "[email protected]",
"type": "Secondary",
"vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"vendorMetadata": {},
"version": "3.1"
}
],
"cwes": [
{
"cve": "CVE-2024-58251",
"cwe": "CWE-150",
"source": "[email protected]",
"type": "Secondary"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251",
"description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.",
"epss": [
{
"cve": "CVE-2024-58251",
"date": "2025-12-10",
"epss": 0.0002,
"percentile": 0.04396
}
],
"id": "CVE-2024-58251",
"namespace": "nvd:cpe",
"severity": "Low",
"urls": [
"https://bugs.busybox.net/show_bug.cgi?id=15922",
"https://www.busybox.net",
"https://www.busybox.net/downloads/",
"http://www.openwall.com/lists/oss-security/2025/04/23/6"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [
{
"metrics": {
"baseScore": 2.5,
"exploitabilityScore": 1.1,
"impactScore": 1.5
},
"source": "[email protected]",
"type": "Secondary",
"vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"vendorMetadata": {},
"version": "3.1"
}
],
"cwes": [
{
"cve": "CVE-2024-58251",
"cwe": "CWE-150",
"source": "[email protected]",
"type": "Secondary"
}
],
"dataSource": "https://security.alpinelinux.org/vuln/CVE-2024-58251",
"epss": [
{
"cve": "CVE-2024-58251",
"date": "2025-12-10",
"epss": 0.0002,
"percentile": 0.04396
}
],
"fix": {
"available": [
{
"date": "2025-11-22",
"kind": "first-observed",
"version": "1.37.0-r20"
}
],
"state": "fixed",
"versions": [
"1.37.0-r20"
]
},
"id": "CVE-2024-58251",
"namespace": "alpine:distro:alpine:3.22",
"risk": 0.0055000000000000005,
"severity": "Low",
"urls": []
}
}
]
},
"secrets": [],
"configs": [
{
"AVDID": "AVD-DS-0002",
"CauseMetadata": {
"Code": {
"Lines": []
},
"Provider": "Dockerfile",
"Service": "general"
},
"Description": "Running containers with 'root' user can lead to a container escape situation. It is best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"ID": "DS002",
"Message": "Specify at least one USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"Query": "data.builtin.dockerfile.DS002.deny",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"Status": "FAIL",
"Target": "alpine:latest",
"Title": "Image user should not be 'root'",
"Type": "Dockerfile Security Check",
"customerPolicyResult": {
"Status": "passed"
}
},
{
"AVDID": "AVD-DS-0026",
"CauseMetadata": {
"Code": {
"Lines": []
},
"Provider": "Dockerfile",
"Service": "general"
},
"Description": "You should add a HEALTHCHECK instruction in your Docker container images to perform the health check on running containers.",
"ID": "DS026",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"Query": "data.builtin.dockerfile.DS026.deny",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"Status": "FAIL",
"Target": "alpine:latest",
"Title": "No HEALTHCHECK defined",
"Type": "Dockerfile Security Check",
"customerPolicyResult": {
"Status": "passed"
}
}
],
"policy-results": null,
"policy-passed": "failed"
}
Example table findings
Scans with the table format flag display results in four sections: Vulnerabilities, Misconfigurations, Secrets, and Policy Results. Each section provides details, such as the type and severity, of each finding.
veracode scan --type image --source alpine --format table --policy container-policy-v1.rego
Vulnerabilities example
| Policy Status | Name | Installed | Fixed-in | Type | Vulnerability | Severity | Message |
|---|---|---|---|---|---|---|---|
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9230 | HIGH | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9230 | HIGH | |
| Failed | musl | 1.2.5-r8 | 1.2.5-r9 | apk | CVE-2025-26519 | HIGH | |
| Failed | musl-utils | 1.2.5-r8 | 1.2.5-r9 | apk | CVE-2025-26519 | HIGH | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.3-r0 | apk | CVE-2024-12797 | MEDIUM | |
| Passed | libcrypto3 | 3.3.2-r4 | 3.3.2-r5 | apk | CVE-2024-13176 | MEDIUM | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9231 | MEDIUM | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9232 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.3-r0 | apk | CVE-2024-12797 | MEDIUM | |
| Passed | libssl3 | 3.3.2-r4 | 3.3.2-r5 | apk | CVE-2024-13176 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9231 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9232 | LOW | |
| Passed | busybox | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | busybox | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW | |
| Passed | busybox-binsh | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | busybox-binsh | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW | |
| Passed | ssl_client | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | ssl_client | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW |
Misconfigurations example
| Policy Status | Title | Provider | ID | Severity | Message |
|---|---|---|---|---|---|
| Failed | COPY '--from' referring to the current image | Dockerfile | DS006 | CRITICAL | |
| Failed | Multiple ENTRYPOINT instructions listed | Dockerfile | DS007 | CRITICAL | |
| Failed | Exposed port out of range | Dockerfile | DS008 | CRITICAL | |
| Failed | RUN using 'sudo' | Dockerfile | DS010 | CRITICAL | |
| Failed | COPY with more than two arguments not ending with slash | Dockerfile | DS011 | CRITICAL | |
| Failed | Duplicate aliases defined in different FROMs | Dockerfile | DS012 | CRITICAL | |
| Failed | Secrets passed via build-args or envs or copied secret files | Dockerfile | DS031 | CRITICAL | |
| Failed | Image user should not be 'root' | Dockerfile | DS002 | HIGH | |
| Failed | WORKDIR path not absolute | Dockerfile | DS009 | HIGH | |
| Failed | 'yum clean all' missing | Dockerfile | DS015 | HIGH | |
| Failed | Multiple CMD instructions listed | Dockerfile | DS016 | HIGH | |
| Failed | 'RUN update' instruction alone | Dockerfile | DS017 | HIGH | |
| Failed | 'dnf clean all' missing | Dockerfile | DS019 | HIGH | |
| Failed | 'zypper clean' missing | Dockerfile | DS020 | HIGH | |
| Failed | 'apt-get' missing '-y' to avoid manual input | Dockerfile | DS021 | HIGH | |
| Failed | Deprecated MAINTAINER used | Dockerfile | DS022 | HIGH | |
| Failed | 'apk add' is missing '--no-cache' | Dockerfile | DS025 | HIGH | |
| Failed | 'microdnf clean all' missing | Dockerfile | DS027 | HIGH | |
| Failed | 'apt-get' missing '--no-install-recommends' | Dockerfile | DS029 | HIGH | |
| Failed | WORKDIR should not be mounted on system dirs | Dockerfile | DS030 | HIGH | |
| Passed | ':latest' tag used | Dockerfile | DS001 | MEDIUM | |
| Passed | Port 22 exposed | Dockerfile | DS004 | MEDIUM | |
| Passed | 'RUN cd ...' to change directory | Dockerfile | DS013 | MEDIUM | |
| Passed | Multiple HEALTHCHECK defined | Dockerfile | DS023 | MEDIUM | |
| Passed | No HEALTHCHECK defined | Dockerfile | DS026 | LOW | Add HEALTHCHECK instruction in your Dockerfile |
| Passed | ADD instead of COPY | Dockerfile | DS005 | LOW | |
| Passed | RUN using 'wget' and 'curl' | Dockerfile | DS014 | LOW |
Secrets example
| Policy Status | File | Secret Type | Severity | Message |
|---|---|---|---|---|
| Passed | aws-credentials.txt | AWS Access Key ID | CRITICAL | aws_access_key_id=******************** |
| Passed | aws-credentials.txt | AWS Secret Access Key | CRITICAL | aws_secret_access_key=**************************************** |
| Passed | id_rsa | Asymmetric Private Key | HIGH | **************************************************************** |