Scanning containers with agent-based scanning
Container scanning extends the Veracode vulnerability database and SCA technology to system libraries in Docker containers.
For the latest Veracode container scanning functionality, see Veracode Container Security.
Veracode Software Composition Analysis agent-based scanning supports container scanning for these Linux distributions:
- RHEL 7
- CentOS 6 and 7
- Alpine 3
- Debian 8, 9, and 10
- Ubuntu 16.04, 18.04, 20.04, 20.10, and 21.04
You must have one of these package managers installed on your machine:
- yum
- pip
- NPM
- gem
- apk
- apt
When using yum, Veracode recommends you have the permissions to run yum updates in the container without root privileges.
For RHEL Linux containers, agent-based scanning only supports official RHEL Docker images, which require a RHEL subscription.
CLI container scanning
Images
To scan a Docker image, use --image
:
$ docker images --format '{{.Repository}}:{{.Tag}}'
centos:7
$ srcclr scan --image centos:7
Containers
The following repository-specific features are not available for container scanning: vulnerable methods, lines of code, and SCM-specific concepts, such as branches.
To scan a container running locally, pass the container ID or name to --container
:
$ docker ps --format '{{.ID}}'
2ca861ab7e85
srcclr scan --container 2ca861ab7e85
$ docker ps --format '{{.Names}}'
compassionate_shirley
$ srcclr scan --container compassionate_shirley
Continuous integration container scanning
The Travis CI addon, which does not use this cURL script, does not support scanning Docker images.
To scan a Docker image using the continuous integration (CI) agent, modify the existing cURL script for the Veracode SCA agent to:
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s scan --image <image name>
Viewing container scanning results
After your agent-based scan is complete, you can view the vulnerabilities in your container from the project page in the Veracode Platform.