Scanning a container image
The agent supports image scanning functionality in the OCI and Docker standards and can be launched in one of the following ways, indicating:
- path to the tar archive created using docker save:
- image name located in the Docker daemon, Podman:
- image name from the public Docker HUB:
- image name from private registry:
Before working with a private repository, you need to run the command docker login
Alternatively, you can log in to the private registry using environment variables:
JOHNNY_REGISTRY_AUTH_AUTHORITY- URL to the registry (for example "docker.io", "localhost:5000", etc.);JOHNNY_REGISTRY_AUTH_LOGIN- login;JOHNNY_REGISTRY_AUTH_PASSWORD- password;JOHNNY_REGISTRY_AUTH_TOKEN- token;
or through similar variables in the config file:
authority;login;password;token.
Note: token and login with password are interchangeable.
Scanning the file system inside a Docker image
To scan files inside an image, you need to add the --scan-files parameter to the command or specify the scan-files variable in the image section in the config file.
When scanning a file system, you can use the --ignore option to exclude specific files from analysis. For example:
Command parameters
The scan image command has four unique parameters, in addition to the general scan command settings:
--hash– specifying the image hash;--scan-files– scanning files in the image.--branch-or-tag– a reference to a branch or repository tag. Format^refs/(heads|tags)/.+(e.g.refs/tags/v1.0);--commit– specifying the commit hash.
For a summary of the available command parameters and usage instructions, you can call the command with the -h, --help flag.
When image scan results are saved, you can view detailed information about the image and its layers in the project:
