Secure Docker Images with cnspec
Scan Docker images for security misconfigurations and CVEs with cnspec.
import IacScanOptions from './_iac-scan-options.mdx';
Scan Docker images to find CVEs, end-of-life operating systems, and security misconfigurations before pushing them to a registry. cnspec applies the built-in Mondoo OS security policies (or your own custom policies) to give you a CI/CD gate that prevents vulnerable images from reaching production.
Prerequisites
To scan Docker images with cnspec, you must have:
- cnspec installed on your workstation
- Docker installed (for scanning local images)
Scan Docker images
Scan Docker images in public or private container registries using their registry name:
cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubiDocker image scans also accept these extra options:
| Option | Description |
|---|---|
--container-proxy | HTTP proxy to use for container pulls |
--disable-cache | Disable the in-memory cache for images (significantly slows scans) |
--discover | Enable discovery of nested assets (all, auto, container, container-images) |
--sudo | Elevate privileges with sudo |
Learn more
-
To scan running containers instead of images, read Secure Docker Containers with cnspec.
-
To learn more about how the MQL query language works, read Write Effective MQL.