Static scanning of container images

Static scanning is supported for deployments on standalone Docker hosts and deployments in Kubernetes with Docker Runtime and Containerd Runtime.

The sensor will perform static scanning for container images as a fallback mechanism to current dynamic scanning in case container image does not have a shell. Static scanning will also be performed for Google distroless images without shell. Static scanning will not be performed on container or container images having a shell.

Static scanning collects the list of installed software from the container image file system to find vulnerabilities in the container images. The installed software list is retrieved from the Package manager metadata files. Package managers supported are RPM, DPKG and Alpine.

If you have large images without shell on the host where sensor is running, the requirement for disk space may exceed the minimum requirement of 1GB.