Supported Container Runtimes

While scanning an image, QScanner supports and searches for the container image runtimes mentioned in the following sequence: Docker, containerd, cri-o, remote registry. By default, it will first look in the local Docker Engine, then in containerd, then in Podman and finally in the remote registry.

1. Docker
   QScanner searches the specified image in your local Docker Engine. It will be skipped if Docker Engine is not running locally. QScanner expects the docker socket to be present at this path: unix:///var/run/docker.sock.
   You can override this path using DOCKER_HOST environment variable.
   For example, 
   $ export DOCKER_HOST=unix:///some/other/path/to/docker/socket/ docker.sock
2. Containerd
   QScanner looks for the specified image in your local containerd. You need to specify the full image name with the registry and the image tag Qscanner to search locally and scan it on containerd.
   For example,
   Image name - `docker.io/library/golang:latest`
   OR
   The repo digest of the image - `golang@sha256:70031844*******51d0bb63e2c383f80db85d9*****4e3da7e13bcf80efa9a37`. 
   Qscanner skips the above step if containerd is not running locally.
   
   If your containerd socket is not the default path -`//run/containerd/containerd.sock`, you can override it using `CONTAINERD_ADDRESS` environment variable.
   For example,
   $ export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
$ ./qscanner image docker.io/library/golang:latest
   
   If your scan targets are images in a namespace other than containerd's default namespace (default), you can override it via CONTAINERD_NAMESPACE.
   For example,
   $ export CONTAINERD_NAMESPACE=k8s.io
$ ./qscanner image docker.io/library/golang:latest
3. Podman
   QScanner supports this if you have Podman (>=2.0) running locally. Before performing QScanner commands, you must enable the podman.sock systemd service on your machine. For more information, refer to https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine
   
   Use the following command to enable a Podman socket.

   $ systemctl --user enable --now podman.socket
   QScanner looks for podman.sock in $XDG_RUNTIME_DIR/podman/podman.sock.
   By default, this is /run/podman/podman.sock.
   You can find out this path by running 'podman info' command. To override this path, you can use XDG_RUNTIME_DIR environment variable.
   For example,
   # To use /my/custom/socket/path/podman/podman.sock
   $ export XDG_RUNTIME_DIR=/my/custom/socket/path
   
   The remote Podman is not supported.

4. Cri-O
   Currently CRI-O runtime is only supported when using `--storage-driver crio-overlay`. For more details, refer to the Storage Drivers topic.