Skip to main content

Scan containers

Use SCA Agent-based Scan to test Docker containers and images for vulnerabilities in open-source libraries and licenses.

For information on using the Veracode CLI to scan containers, see Veracode Container Security.

Supported Linux distributions

  • RHEL 7
  • CentOS 6 and 7
  • Alpine 3
  • Debian 8, 9, and 10
  • Ubuntu 16.04, 18.04, 20.04, 20.10, and 21.04

Supported package managers

Your system must have one of the following package managers installed.

  • yum
  • pip
  • NPM
  • gem
  • apk
  • apt

When using yum, we recommend you have the permissions to run yum updates in the container without root privileges.

To scan applications that use Docker, we recommend scanning the code during builds, before adding it to a Docker container, or by running the following command at the root of the project within Docker.

  curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

See customization options for using the cURL script.

For RHEL Linux containers, only official RHEL Docker images are supported, which require a RHEL subscription.

SCA CLI

Scan images

To scan a Docker image, use --image:

$ docker images --format '{{.Repository}}:{{.Tag}}'
centos:7
 
$ srcclr scan --image centos:7

Scan containers

The following repository-specific features are not available for container scanning: vulnerable methods, lines of code, and SCM-specific concepts, such as branches.

To scan a container running locally, pass the container ID or name to --container:

$ docker ps --format '{{.ID}}'
2ca861ab7e85
  srcclr scan --container 2ca861ab7e85 
 
$ docker ps --format '{{.Names}}'
compassionate_shirley
 
$ srcclr scan --container compassionate_shirley

Continuous integration container scanning

To scan a Docker image using the continuous integration (CI) agent, modify the existing cURL script for the Veracode SCA agent to:

curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s scan --image <image name>

The Travis CI addon, which does not use this cURL script, does not support scanning Docker images.

View scan results

After your agent-based scan is complete, you can view the vulnerabilities in your container from the project page in the Veracode Platform.

Last updated on