Secure Docker Images with cnspec
Scan Docker images for security misconfigurations and CVEs with cnspec.
Scan Docker images to find CVEs, end-of-life operating systems, and security misconfigurations before pushing them to a registry. cnspec applies the built-in Mondoo OS security policies (or your own custom policies) to give you a CI/CD gate that prevents vulnerable images from reaching production.
This page is part of scanning your supply chain with cnspec. If you're new to cnspec, start with the Quickstart to install cnspec and run your first scan.
Prerequisites
To scan Docker images with cnspec, you must have:
- cnspec installed on your workstation
- Docker installed (for scanning local images)
Scan Docker images
Scan Docker images in public or private container registries using their registry name:
cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubiScan options
| Option | Description |
|---|---|
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
Docker image scans also accept these extra options:
| Option | Description |
|---|---|
--container-proxy | HTTP proxy to use for container pulls |
--disable-cache | Disable the in-memory cache for images (significantly slows scans) |
--discover | Enable discovery of nested assets (all, auto, container, container-images) |
--sudo | Elevate privileges with sudo |
cnspec prints the results to your terminal. To control the output format or send results to a file or CI system, read Report Results.
Learn more
-
To scan running containers instead of images, read Secure Docker Containers with cnspec.
-
To scan images already stored in a registry, read about scanning Docker Hub, Amazon ECR, Azure ACR, and Google Container Registry.
-
To learn more about how the MQL query language works, read Write Effective MQL.