Assess Docker Container Security with cnspec

Scan running and stopped Docker containers for security misconfigurations using cnspec.

Use cnspec to scan running or stopped Docker containers for security misconfigurations, CVEs, and policy violations.

Scan a Docker container

First, find the container ID of the container you want to scan:

docker ps

CONTAINER ID   IMAGE          COMMAND       CREATED          STATUS          NAMES
3b8f29c5e0a2   nginx:latest   "/docker…"   10 minutes ago   Up 10 minutes   web-server

Then scan the container using its ID:

cnspec scan docker 3b8f29c5e0a2

You can only scan Docker containers if the Docker engine is installed.

Scan options

Option	Description
`--asset-name`	Override the asset name
`--annotation`	Add an annotation to the asset (`key=value`)
`--incognito`	Run in incognito mode (do not report results to Mondoo Platform)
`-o`, `--output`	Set the output format (`compact`, `full`, `json`, `junit`, `summary`, `yaml`)
`-f`, `--policy-bundle`	Path to a policy file (local path, `s3://` URI, or `http(s)://` URL)
`--policy`	Specify policies to execute (requires `--policy-bundle`)
`--risk-threshold`	Exit with status 1 if any risk meets or exceeds this value (0-100)
`--sudo`	Elevate privileges with sudo
`-j`, `--json`	Return the results as JSON

Learn more

To scan Docker images instead of containers, read Assess Docker Image Security.
To learn more about how the MQL query language works, read Write Effective MQL.

Assess Docker Container Security with cnspec

Scan a Docker container

Scan options

Learn more

On this page