Supply ChainContainer Registries
Scan Docker Hub Images with cnspec
Scan Docker Hub container images for security vulnerabilities and misconfigurations with cnspec.
Docker Hub is the most widely-used public container registry. To learn the basics, read the Docker Hub Get Started Guide.
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Prerequisites
Install the Docker CLI and log in to the registry:
docker loginScan Docker Hub
Scan a specific repository:
cnspec scan container registry index.docker.io/<org>/<image>cnspec resolves the available image tags, applies the OS security policies that match each image's platform, and reports vulnerabilities and misconfigurations:
Start the vulnerability scan:
→ resolve asset connections
→ detected alpine 3.19
→ gather platform packages for vulnerability scan
→ found 38 packages
✔ completed analysis for <imageId>
Advisory Reports Overview
■ SCORE NAME SCORE
■ 0.0 <imageId-1> ══════════
■ 0.0 <imageId-2> ══════════Scan a specific tagged image with cnspec scan docker:
cnspec scan docker mondoo/cnspec:latestLearn more
- Secure Docker Images with cnspec: scan a specific image from any registry
- Secure Dockerfiles with cnspec: catch insecure patterns before an image is built
- Write Effective MQL: guide to authoring checks and queries