Assess Docker Image Security with cnspec
Scan Docker images, containers, and Dockerfiles for security misconfigurations and CVEs using cnspec.
Use cnspec to scan Docker images, containers, and Dockerfiles for security misconfigurations, CVEs, and end-of-life operating systems using the built-in Mondoo security policies or your own custom policies.
Dockerfiles
Scan Dockerfiles to reveal security issues before they reach production.
Scan a single Dockerfile, substituting the path and name of the file for FILEPATH:
cnspec scan docker file FILEPATHFind nested Dockerfiles within a directory, substituting the directory path for PATH:
cnspec scan docker file PATHDocker images
Use cnspec to scan Docker images in public or private container registries using their registry name:
cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubiIf the Docker agent is installed, you can scan images by their id:
cnspec scan docker docker-image-idDocker containers
Scan a running or stopped Docker container by the container ID:
cnspec scan docker docker-container-idManage cnspec providers for containers
Providers are the components of cnspec that allow it to evaluate specific platforms. To learn how to manage cnspec providers most efficiently for containers, read Manage cnspec Providers.
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
Explore Mondoo's Docker resources.