Mondoo Docs
Supply Chain

Assess Docker Image Security with cnspec

This page provides an overview of how to use Mondoo to scan Docker images for security vulnerabilities.

Use cnspec to scan Docker images, containers, and Dockerfiles for security misconfigurations, CVEs, and end of life operating systems using the built in Mondoo security policies or your own custom policies.

Docker Image Scan

Dockerfiles

Scan Dockerfiles to reveal security issues before they reach production.

Scan a single Dockerfile, substituting the path a name of the file for FILEPATH:

cnquery scan docker file FILEPATH

Find nested Dockerfiles within a directory, substituting the directory path for PATH:

cnquery scan docker file PATH

Docker images

Use cnspec to scan Docker images in public or private container registries using their registry name:

cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubi

If the Docker agent is installed, you can scan images by their id:

cnspec scan docker docker-image-id

Docker containers

Scan a running or stopped Docker container by the container ID:

cnspec scan docker docker-container-id

Providers are the components of cnspec that allow it to evaluate specific platforms. To learn how to manage cnspec providers most efficiently for containers, read Manage cnspec Providers.

Learn more

Asses Slack Security with cnspec

Secure and enforce policy for your Slack workspaces

Assess HashiCorp Packer Machine Image Security with cnspec

This page provides an overview of how to use cnspec to build secure base images with HashiCorp Packer.

On this page

DockerfilesDocker imagesDocker containersLearn more