Secure Docker Containers with cnspec

Scan running and stopped Docker containers for CVEs and security misconfigurations with cnspec.

Scan running or stopped Docker containers to find CVEs and security misconfigurations before they cause incidents. cnspec connects to containers directly and applies the OS security policies that match the container's platform (typically Linux), so you can verify that what is actually running matches your security baseline.

Scan a Docker container

First, find the container ID of the container you want to scan:

docker ps

CONTAINER ID   IMAGE          COMMAND       CREATED          STATUS          NAMES
3b8f29c5e0a2   nginx:latest   "/docker…"   10 minutes ago   Up 10 minutes   web-server

Then scan the container using its ID:

cnspec scan docker 3b8f29c5e0a2

You can only scan Docker containers if the Docker engine is installed.

Scan options

Option	Description
`--asset-name`	Override the asset name
`--annotation`	Add an annotation to the asset (`key=value`)
`--incognito`	Run in incognito mode (do not report results to Mondoo Platform)
`-o`, `--output`	Set the output format (`compact`, `full`, `json`, `junit`, `summary`, `yaml`)
`-f`, `--policy-bundle`	Path to a policy file (local path, `s3://` URI, or `http(s)://` URL)
`--policy`	Specify policies to execute (requires `--policy-bundle`)
`--risk-threshold`	Exit with status 1 if any risk meets or exceeds this value (0-100)

The Docker scan also accepts --sudo to elevate privileges when reading host-level state.

Learn more

To scan Docker images instead of containers, read Secure Docker Images with cnspec.
To learn more about how the MQL query language works, read Write Effective MQL.

Secure Docker Containers with cnspec

Scan a Docker container

Scan options

Learn more

On this page