Supply Chain
Assess Docker Image Security with cnspec
Scan Docker images for security misconfigurations and CVEs using cnspec.
Scan Docker images for CVEs, end-of-life operating systems, and security misconfigurations before pushing them to a registry. cnspec evaluates images against built-in Mondoo policies or your own custom policies, giving you a gate in CI/CD to prevent vulnerable images from reaching production.
Prerequisites
To scan Docker images with cnspec, you must have:
- cnspec installed on your workstation
- Docker installed (for scanning local images)
Scan Docker images
Scan Docker images in public or private container registries using their registry name:
cnspec scan docker ubuntu:latest
cnspec scan docker elastic/elasticsearch:7.2.0
cnspec scan docker gcr.io/google-containers/ubuntu:22.04
cnspec scan docker registry.access.redhat.com/ubi8/ubiScan options
| Option | Description |
|---|---|
--container-proxy | HTTP proxy to use for container pulls |
--disable-cache | Disable the in-memory cache for images (significantly slows scans) |
--discover | Enable discovery of nested assets (all, auto, container, container-images) |
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
--sudo | Elevate privileges with sudo |
Learn more
-
To scan running containers instead of images, read Assess Docker Container Security.
-
To learn more about how the MQL query language works, read Write Effective MQL.