Container scanning extends the Veracode vulnerability database and SCA technology to system libraries in Docker containers.
Veracode Software Composition Analysis
agent-based scanning supports container scanning for these Linux
distributions:
- RHEL 7
- CentOS 6 and 7
- Alpine 3
- Debian 8, 9, and 10
- Ubuntu 16.04, 18.04, 20.04, 20.10, and 21.04
- yum
- pip
- NPM
- gem
- apk
- apt
When using yum, Veracode recommends you have the permissions to run yum updates in the container without root privileges.
Agent-based scanning only supports official RHEL Docker images, which require a RHEL subscription.
Command-Line Interface Scanning
Images
To scan a Docker image, use --image:
$ docker images --format '{{.Repository}}:{{.Tag}}' centos:7 $ srcclr scan --image centos:7
Containers
To scan a container running locally, pass the container ID or name to
--container:
$ docker ps --format '{{.ID}}' 2ca861ab7e85 srcclr scan --container 2ca861ab7e85 $ docker ps --format '{{.Names}}' compassionate_shirley $ srcclr scan --container compassionate_shirley
Note: The following repository-specific features are not available for container
scanning: vulnerable methods, lines of code, and SCM-specific concepts such as
branches.
Continuous Integration Scanning
To scan a Docker image using the continuous integration (CI) agent, modify the
existing cURL script for the Veracode SCA agent
to:
curl -sSL https://download.sourceclear.com/ci.sh | sh -s scan --image <image name>
Note: The
Travis CI addon, which does not use this cURL script, does not currently support
scanning Docker images.
Viewing Container Scanning Results
After your agent-based scan is complete, you can view the vulnerabilities in your container from the project page in the Veracode Platform.