Vulnerability Scanners

Docker images may contain vulnerabilities that are dangerous from a cyber security point of view. Multiple providers offer software that allows for scanning images for such vulnerabilities and can be integrated into your Container Registry instance. Every instance comes with the two pre-installed vulnerability scanners: Trivy, the default one, and Clair, both open-source.

What Vulnerability Scanners Do

Known cyber security vulnerabilities are pieces of the source code that can lead to security breaches. They are listed in the ever-growing database Common Vulnerabilities and Exposures List.

Vulnerability scanners go through the underlying source code of a Docker image and check if some parts of it match the known vulnerabilities. Some of the vulnerabilities you can exclude from matching as explained here.

As a system admin, you manage all scanners available in the instance. Project admins can select scanners for adding them to their projects as explained here. Without any active intervention from you or from the project admins, all projects inherit the default system scanner as their active scanner.