Supply Chain
Assess Docker Image Security with cnspec
Scan Docker images for security misconfigurations and CVEs using cnspec.
Use cnspec to scan Docker images for security misconfigurations, CVEs, and end-of-life operating systems using the built-in Mondoo security policies or your own custom policies.
Scan Docker images
Scan Docker images in public or private container registries using their registry name:
cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubiScan options
| Option | Description |
|---|---|
--container-proxy | HTTP proxy to use for container pulls |
--disable-cache | Disable the in-memory cache for images (significantly slows scans) |
--discover | Enable discovery of nested assets (all, auto, container, container-images) |
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
--sudo | Elevate privileges with sudo |
-j, --json | Return the results as JSON |
Learn more
-
To scan running containers instead of images, read Assess Docker Container Security.
-
To learn more about how the MQL query language works, read Write Effective MQL.