Container Scanning

Container security scanning analyzes Dockerfiles and container configuration files found in your repositories during scans. This helps you identify vulnerabilities in your container setup before deploying to production.

What Container Scanning Does

Container files (Dockerfile, docker-compose.yml) are analyzed automatically as part of repository scans. The CodeStax Container Security Engine inspects your container configuration for known vulnerabilities, misconfigurations, and security best practice violations. Findings are checked against authoritative vulnerability databases including NVD, GitHub Advisories, and vendor-specific sources.

How Container Scanning Works

Container scanning runs automatically when your repository contains container-related files:

During a repository scan, CodeStax detects Dockerfiles, docker-compose.yml, and other container configuration files
The Container Security Engine analyzes these files for vulnerabilities and misconfigurations
Results appear in your scan findings alongside other security issues

Scan Results

Results include:

Field	Description
Vulnerability ID	CVE identifier
Severity	Critical, High, Medium, or Low badge
Package	Affected OS or library package
Installed Version	Version present in the image
Fixed Version	Version that resolves the vulnerability (if available)
Description	Summary of the vulnerability

Supported Base Images

Container scanning works with all major Linux distributions:

Alpine Linux
Debian / Ubuntu
Red Hat Enterprise Linux (RHEL) / CentOS
Amazon Linux
Oracle Linux
SUSE Linux

Best Practices

Use minimal base images — Alpine-based images have a smaller attack surface
Pin image tags — Avoid latest in production; use specific version tags
Scan before deploying — Integrate container scanning into your CI/CD pipeline
Rebuild images regularly — Base image updates often include security patches
Check fixed versions — Upgrading the base image or a specific package may resolve multiple CVEs at once