Container Runtimes

QScanner supports and searches for the container image runtimes as mentioned in the following sequence - Docker, containerd, and cri-o. By default, it will first look in the local Docker Engine, then in containerd, and finally in Podman.

1. Docker Runtime:
   QScanner searches the specified image in your local Docker Engine. It will be skipped if Docker Engine is not running locally. QScanner expects the docker socket to be present at this path: unix:///var/run/docker.sock.
   You can override this path using DOCKER_HOST environment variable.
   For example, export DOCKER_HOST=unix:///some/other/path/to/docker/socket/ docker.sock
2. Containerd:
   QScanner tries to look for the specified image in your local containerd. It will be skipped if containerd is not running locally. If your containerd socket is not the default path (//run/containerd/containerd.sock), you can override it via CONTAINERD_ADDRESS environment variable.
   For example, $ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
   $ ./qscanner image centos
   
   If your scan targets are images in a namespace other than containerd's default namespace (default), you can override it via CONTAINERD_NAMESPACE.
   For example, $ export CONTAINERD_NAMESPACE=k8s.io
   $ ./qscanner image centos
3. CRI-O:
   QScanner supports cri-o runtime if you have Podman (>=2.0) running locally. The remote Podman is not supported. Before performing QScanner commands, you must enable the podman.sock systemd service on your machine. Use the following command to enable a Podman socket.

   $ systemctl --user enable --now podman.socket
   QScanner looks for podman.sock in $XDG_RUNTIME_DIR/podman/podman.sock.