Scan Docker Hub Images with cnspec
Scan Docker Hub container images for security vulnerabilities and misconfigurations with cnspec.
Docker Hub is the most widely-used public container registry. To learn the basics, read the Docker Hub Get Started Guide.
Scanning a registry is part of securing your supply chain with cnspec. If you're new to cnspec, start with the Quickstart.
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Prerequisites
Install the Docker CLI and log in to the registry:
docker loginScan Docker Hub
Scan a specific repository:
cnspec scan container registry index.docker.io/<org>/<image>cnspec resolves the available image tags, applies the OS security policies that match each image's platform, and reports vulnerabilities and misconfigurations:
Start the vulnerability scan:
→ resolve asset connections
→ detected alpine 3.19
→ gather platform packages for vulnerability scan
→ found 38 packages
✔ completed analysis for <imageId>
Advisory Reports Overview
■ SCORE NAME SCORE
■ 0.0 <imageId-1> ══════════
■ 0.0 <imageId-2> ══════════Scan a specific tagged image with cnspec scan docker:
cnspec scan docker mondoo/cnspec:latestLearn more
- Secure Docker Images with cnspec: scan a specific image from any registry
- Secure Dockerfiles with cnspec: catch insecure patterns before an image is built
- Write Effective MQL: guide to authoring checks and queries