Skip to main content

Scanning containers with agent-based scanning

Container scanning extends the Veracode vulnerability database and SCA technology to system libraries in Docker containers.

For the latest Veracode container scanning functionality, see Veracode Container Security.

Veracode Software Composition Analysis agent-based scanning supports container scanning for these Linux distributions:

  • RHEL 7
  • CentOS 6 and 7
  • Alpine 3
  • Debian 8, 9, and 10
  • Ubuntu 16.04, 18.04, 20.04, 20.10, and 21.04

You must have one of these package managers installed on your machine:

  • yum
  • pip
  • NPM
  • gem
  • apk
  • apt

When using yum, Veracode recommends you have the permissions to run yum updates in the container without root privileges.

For RHEL Linux containers, agent-based scanning only supports official RHEL Docker images, which require a RHEL subscription.

CLI container scanning

Images

To scan a Docker image, use --image:

$ docker images --format '{{.Repository}}:{{.Tag}}'
centos:7

$ srcclr scan --image centos:7

Containers

The following repository-specific features are not available for container scanning: vulnerable methods, lines of code, and SCM-specific concepts, such as branches.

To scan a container running locally, pass the container ID or name to --container:

$ docker ps --format '{{.ID}}'
2ca861ab7e85
srcclr scan --container 2ca861ab7e85

$ docker ps --format '{{.Names}}'
compassionate_shirley

$ srcclr scan --container compassionate_shirley

Continuous integration container scanning

The Travis CI addon, which does not use this cURL script, does not support scanning Docker images.

To scan a Docker image using the continuous integration (CI) agent, modify the existing cURL script for the Veracode SCA agent to:

curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s scan --image <image name>

Viewing container scanning results

After your agent-based scan is complete, you can view the vulnerabilities in your container from the project page in the Veracode Platform.