Review Container Security results
After running a scan, you can review the results in the Veracode CLI or review the results in the Veracode Platform. The Veracode Platform provides a visual representation of the severity count of security findings, categorized as critical, high, medium, and low.
note
To access scan results in the Veracode Platform, before scanning, you must set analysis_on_platform to true in your veracode.yml file.
If you scanned in a repo using Veracode Repository Scanning, you can access the results in the following tools:
Review results in the CLI
After you complete a scan using the CLI, your results appear in your command window. If you include the -o flag, the results appear in a new file.
To specify the output format of the scan results, such as JSON, CycloneDX, or a table, include the --format flag. See the output examples.
Scan results include the following categories of findings:
- Known vulnerabilities: vulnerabilities known in the Grype database.
- Configuration issues in Infrastructure as Code (IaC) files: misconfigurations in IaC files, such as Dockerfiles, Kubernetes manifests, and Terraform files.
- Exposed secrets: insecurely storing, using, and managing secrets, including credentials and cryptographic keys.
- Docker CIS Benchmark violations: violations of the guidelines defined in the CIS Docker Benchmarks.
- Insecure file permissions: insecure permissions using
setuidandsetgid.
Review policy evaluations
Veracode Container Security performs a basic policy evaluation against the findings. If the scan identifies any of the following findings, it returns "policy-passed": false.
- Known vulnerabilities, configuration issues in Infrastructure as Code (IaC) files, or exposed secrets with a very high or high severity.
- Any Docker CIS Benchmark violation.
- Any insecure file permissions.
If none of those findings are present, the scan returns "policy-passed": true.
If the scan was run without a policy, the scan returns "policy-passed": "not evaluated".
Example findings in JSON format
The following example scan results show detected vulnerabilities and secrets in readable JSON format:
./veracode scan --type image --source alpine:latest --policy container-policy-v1.rego --format json --output alpine.json
{
"vulnerabilities": {
"descriptor": {
"db": {
"built": "2025-12-11T08:19:01Z",
"from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-10T15:02:03Z_1765441141.tar.zst?checksum=sha256%3A95bd5b5950ac069e4a0033a803c2682762650f73dbcb4a70c275edea9ba6b982",
"path": "/var/folders/y4/rvg41kfn5t5d7swxjmdvmj8r0000gn/T/veracode_cli_cache/6/vulnerability.db",
"schemaVersion": "v6.1.3",
"valid": true
},
"name": "",
"timestamp": "2025-12-12T14:37:46.565139+05:30",
"version": ""
},
"matches": [
{
"artifact": {
"cpes": [
"cpe:2.3:a:busybox:busybox:1.37.0-r18:*:*:*:*:*:*:*"
],
"id": "cfbeef858806724b",
"language": "",
"licenses": [
"GPL-2.0-only"
],
"locations": [
{
"accessPath": "/lib/apk/db/installed",
"annotations": {
"evidence": "primary"
},
"layerID": "sha256:1231a673589ac9e2f8a98ed916d1fa8301b36a44dd14fc40eba5a05905da69f1",
"path": "/lib/apk/db/installed"
}
],
"metadata": {
"files": [
{
"path": "/bin"
},
{
"path": "/bin/busybox"
},
{
"path": "/etc"
},
{
"path": "/etc/securetty"
},
{
"path": "/etc/busybox-paths.d"
},
{
"path": "/etc/busybox-paths.d/busybox"
},
{
"path": "/etc/logrotate.d"
},
{
"path": "/etc/logrotate.d/acpid"
},
{
"path": "/etc/network"
},
{
"path": "/etc/network/if-down.d"
},
{
"path": "/etc/network/if-post-down.d"
},
{
"path": "/etc/network/if-post-up.d"
},
{
"path": "/etc/network/if-pre-down.d"
},
{
"path": "/etc/network/if-pre-up.d"
},
{
"path": "/etc/network/if-up.d"
},
{
"path": "/etc/network/if-up.d/dad"
},
{
"path": "/etc/udhcpc"
},
{
"path": "/etc/udhcpc/udhcpc.conf"
},
{
"path": "/sbin"
},
{
"path": "/usr"
},
{
"path": "/usr/sbin"
},
{
"path": "/usr/share"
},
{
"path": "/usr/share/udhcpc"
},
{
"path": "/usr/share/udhcpc/default.script"
}
]
},
"metadataType": "ApkMetadata",
"name": "busybox",
"purl": "pkg:apk/alpine/[email protected]?arch=aarch64\u0026distro=alpine-3.22.0",
"type": "apk",
"upstreams": [
{
"name": "busybox"
}
],
"version": "1.37.0-r18"
},
"customerPolicyResult": {
"DataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251",
"ID": "CVE-2024-58251",
"Msg": "Found Low software vulnerability: CVE-2024-58251, baseScore: 2.5",
"Severity": "Low",
"Status": "failed"
},
"matchDetails": [
{
"fix": {
"suggestedVersion": "1.37.0-r20"
},
"found": {
"versionConstraint": "\u003c 1.37.0-r20 (apk)",
"vulnerabilityID": "CVE-2024-58251"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.22.0"
},
"namespace": "alpine:distro:alpine:3.22",
"package": {
"name": "busybox",
"version": "1.37.0-r18"
}
},
"type": "exact-direct-match"
},
{
"fix": {
"suggestedVersion": "1.37.0-r20"
},
"found": {
"versionConstraint": "\u003c 1.37.0-r20 (apk)",
"vulnerabilityID": "CVE-2024-58251"
},
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.22.0"
},
"namespace": "alpine:distro:alpine:3.22",
"package": {
"name": "busybox",
"version": "1.37.0-r18"
}
},
"type": "exact-indirect-match"
}
],
"relatedVulnerabilities": [
{
"cvss": [
{
"metrics": {
"baseScore": 2.5,
"exploitabilityScore": 1.1,
"impactScore": 1.5
},
"source": "[email protected]",
"type": "Secondary",
"vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"vendorMetadata": {},
"version": "3.1"
}
],
"cwes": [
{
"cve": "CVE-2024-58251",
"cwe": "CWE-150",
"source": "[email protected]",
"type": "Secondary"
}
],
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251",
"description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.",
"epss": [
{
"cve": "CVE-2024-58251",
"date": "2025-12-10",
"epss": 0.0002,
"percentile": 0.04396
}
],
"id": "CVE-2024-58251",
"namespace": "nvd:cpe",
"severity": "Low",
"urls": [
"https://bugs.busybox.net/show_bug.cgi?id=15922",
"https://www.busybox.net",
"https://www.busybox.net/downloads/",
"http://www.openwall.com/lists/oss-security/2025/04/23/6"
]
}
],
"vulnerability": {
"advisories": [],
"cvss": [
{
"metrics": {
"baseScore": 2.5,
"exploitabilityScore": 1.1,
"impactScore": 1.5
},
"source": "[email protected]",
"type": "Secondary",
"vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"vendorMetadata": {},
"version": "3.1"
}
],
"cwes": [
{
"cve": "CVE-2024-58251",
"cwe": "CWE-150",
"source": "[email protected]",
"type": "Secondary"
}
],
"dataSource": "https://security.alpinelinux.org/vuln/CVE-2024-58251",
"epss": [
{
"cve": "CVE-2024-58251",
"date": "2025-12-10",
"epss": 0.0002,
"percentile": 0.04396
}
],
"fix": {
"available": [
{
"date": "2025-11-22",
"kind": "first-observed",
"version": "1.37.0-r20"
}
],
"state": "fixed",
"versions": [
"1.37.0-r20"
]
},
"id": "CVE-2024-58251",
"namespace": "alpine:distro:alpine:3.22",
"risk": 0.0055000000000000005,
"severity": "Low",
"urls": []
}
}
]
},
"secrets": [],
"configs": [
{
"AVDID": "AVD-DS-0002",
"CauseMetadata": {
"Code": {
"Lines": []
},
"Provider": "Dockerfile",
"Service": "general"
},
"Description": "Running containers with 'root' user can lead to a container escape situation. It is best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"ID": "DS002",
"Message": "Specify at least one USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"Query": "data.builtin.dockerfile.DS002.deny",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"Status": "FAIL",
"Target": "alpine:latest",
"Title": "Image user should not be 'root'",
"Type": "Dockerfile Security Check",
"customerPolicyResult": {
"Status": "passed"
}
},
{
"AVDID": "AVD-DS-0026",
"CauseMetadata": {
"Code": {
"Lines": []
},
"Provider": "Dockerfile",
"Service": "general"
},
"Description": "You should add a HEALTHCHECK instruction in your Docker container images to perform the health check on running containers.",
"ID": "DS026",
"Message": "Add HEALTHCHECK instruction in your Dockerfile",
"Namespace": "builtin.dockerfile.DS026",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
"Query": "data.builtin.dockerfile.DS026.deny",
"References": [
"https://blog.aquasec.com/docker-security-best-practices",
"https://avd.aquasec.com/misconfig/ds026"
],
"Resolution": "Add HEALTHCHECK instruction in Dockerfile",
"Severity": "LOW",
"Status": "FAIL",
"Target": "alpine:latest",
"Title": "No HEALTHCHECK defined",
"Type": "Dockerfile Security Check",
"customerPolicyResult": {
"Status": "passed"
}
}
],
"policy-results": null,
"policy-passed": "failed"
}
Example detected secrets in YAML format
In the following example results, the scan detects secrets titled App ID and App Secret Key in a scanned YML file. Both secrets have a severity of HIGH and are in the Passwords category.
{
"Class": "secret",
"Secrets": [
{
"Category": "Passwords",
"Code": {
"Lines": [
{
"Annotation": "",
"Content": "enabled: true",
"FirstCause": false,
"Highlighted": "enabled: true",
"IsCause": false,
"LastCause": false,
"Number": 2,
"Truncated": false
},
{
"Annotation": "",
"Content": "values:",
"FirstCause": false,
"Highlighted": "values:",
"IsCause": false,
"LastCause": false,
"Number": 3,
"Truncated": false
},
{
"Annotation": "",
"Content": "***********************",
"FirstCause": true,
"Highlighted": "***********************",
"IsCause": true,
"LastCause": true,
"Number": 4,
"Truncated": false
},
{
"Annotation": "",
"Content": "************************",
"FirstCause": false,
"Highlighted": "************************",
"IsCause": false,
"LastCause": false,
"Number": 5,
"Truncated": false
}
]
},
"EndLine": 4,
"Layer": {},
"Match": "***********************",
"RuleID": "Test for app id",
"Severity": "HIGH",
"StartLine": 4,
"Title": "App ID"
},
{
"Category": "Passwords",
"Code": {
"Lines": [
{
"Annotation": "",
"Content": "values:",
"FirstCause": false,
"Highlighted": "values:",
"IsCause": false,
"LastCause": false,
"Number": 3,
"Truncated": false
},
{
"Annotation": "",
"Content": "***********************",
"FirstCause": false,
"Highlighted": "***********************",
"IsCause": false,
"LastCause": false,
"Number": 4,
"Truncated": false
},
{
"Annotation": "",
"Content": "************************",
"FirstCause": true,
"Highlighted": "************************",
"IsCause": true,
"LastCause": true,
"Number": 5,
"Truncated": false
},
{
"Annotation": "",
"Content": "LOG_LEVEL: info",
"FirstCause": false,
"Highlighted": "LOG_LEVEL: info",
"IsCause": false,
"LastCause": false,
"Number": 6,
"Truncated": false
}
]
},
"EndLine": 5,
"Layer": {},
"Match": "************************",
"RuleID": "test for secrets",
"Severity": "HIGH",
"StartLine": 5,
"Title": "App Secret key"
}
],
"Target": "values-prd.yml"
}
Example findings in table format
Scans with the table format flag display results in four tables: Vulnerabilities, Misconfigurations, Secrets, and Policy Results. Each section provides details, such as the type and severity, of each finding.
veracode scan --type image --source alpine --format table --policy container-policy-v1.rego
Vulnerabilities
| Policy Status | Name | Installed | Fixed-in | Type | Vulnerability | Severity | Message |
|---|---|---|---|---|---|---|---|
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9230 | HIGH | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9230 | HIGH | |
| Failed | musl | 1.2.5-r8 | 1.2.5-r9 | apk | CVE-2025-26519 | HIGH | |
| Failed | musl-utils | 1.2.5-r8 | 1.2.5-r9 | apk | CVE-2025-26519 | HIGH | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.3-r0 | apk | CVE-2024-12797 | MEDIUM | |
| Passed | libcrypto3 | 3.3.2-r4 | 3.3.2-r5 | apk | CVE-2024-13176 | MEDIUM | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9231 | MEDIUM | |
| Failed | libcrypto3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9232 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.3-r0 | apk | CVE-2024-12797 | MEDIUM | |
| Passed | libssl3 | 3.3.2-r4 | 3.3.2-r5 | apk | CVE-2024-13176 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9231 | MEDIUM | |
| Failed | libssl3 | 3.3.2-r4 | 3.3.5-r0 | apk | CVE-2025-9232 | LOW | |
| Passed | busybox | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | busybox | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW | |
| Passed | busybox-binsh | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | busybox-binsh | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW | |
| Passed | ssl_client | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2024-58251 | LOW | |
| Passed | ssl_client | 1.37.0-r9 | 1.37.0-r14 | apk | CVE-2025-46394 | LOW |
Misconfigurations
| Policy Status | Title | Provider | ID | Severity | Message |
|---|---|---|---|---|---|
| Failed | COPY '--from' referring to the current image | Dockerfile | DS006 | CRITICAL | |
| Failed | Multiple ENTRYPOINT instructions listed | Dockerfile | DS007 | CRITICAL | |
| Failed | Exposed port out of range | Dockerfile | DS008 | CRITICAL | |
| Failed | RUN using 'sudo' | Dockerfile | DS010 | CRITICAL | |
| Failed | COPY with more than two arguments not ending with slash | Dockerfile | DS011 | CRITICAL | |
| Failed | Duplicate aliases defined in different FROMs | Dockerfile | DS012 | CRITICAL | |
| Failed | Secrets passed via build-args or envs or copied secret files | Dockerfile | DS031 | CRITICAL | |
| Failed | Image user should not be 'root' | Dockerfile | DS002 | HIGH | |
| Failed | WORKDIR path not absolute | Dockerfile | DS009 | HIGH | |
| Failed | 'yum clean all' missing | Dockerfile | DS015 | HIGH | |
| Failed | Multiple CMD instructions listed | Dockerfile | DS016 | HIGH | |
| Failed | 'RUN update' instruction alone | Dockerfile | DS017 | HIGH | |
| Failed | 'dnf clean all' missing | Dockerfile | DS019 | HIGH | |
| Failed | 'zypper clean' missing | Dockerfile | DS020 | HIGH | |
| Failed | 'apt-get' missing '-y' to avoid manual input | Dockerfile | DS021 | HIGH | |
| Failed | Deprecated MAINTAINER used | Dockerfile | DS022 | HIGH | |
| Failed | 'apk add' is missing '--no-cache' | Dockerfile | DS025 | HIGH | |
| Failed | 'microdnf clean all' missing | Dockerfile | DS027 | HIGH | |
| Failed | 'apt-get' missing '--no-install-recommends' | Dockerfile | DS029 | HIGH | |
| Failed | WORKDIR should not be mounted on system dirs | Dockerfile | DS030 | HIGH | |
| Passed | ':latest' tag used | Dockerfile | DS001 | MEDIUM | |
| Passed | Port 22 exposed | Dockerfile | DS004 | MEDIUM | |
| Passed | 'RUN cd ...' to change directory | Dockerfile | DS013 | MEDIUM | |
| Passed | Multiple HEALTHCHECK defined | Dockerfile | DS023 | MEDIUM | |
| Passed | No HEALTHCHECK defined | Dockerfile | DS026 | LOW | Add HEALTHCHECK instruction in your Dockerfile |
| Passed | ADD instead of COPY | Dockerfile | DS005 | LOW | |
| Passed | RUN using 'wget' and 'curl' | Dockerfile | DS014 | LOW |
Secrets
| Policy Status | File | Secret Type | Severity | Message |
|---|---|---|---|---|
| Passed | aws-credentials.txt | AWS Access Key ID | CRITICAL | aws_access_key_id=******************** |
| Passed | aws-credentials.txt | AWS Secret Access Key | CRITICAL | aws_secret_access_key=**************************************** |
| Passed | id_rsa | Asymmetric Private Key | HIGH | **************************************************************** |