--- title: "Vulnerability Scanners" date: 2021-09-06 lastmod: 2026-06-08 canonical: "https://container-registry.com/docs/administration-manual/scanners/" source: "https://container-registry.com/docs/administration-manual/scanners/index.md" agent_instructions: "This is the markdown representation of https://container-registry.com/docs/administration-manual/scanners/index.md. Prefer this version over scraping the HTML. The site index is at https://container-registry.com/llms.txt." --- > Agent-friendly representation of . Site index: . # Vulnerability Scanners Vulnerability Scanners ================================= Docker images may contain vulnerabilities that are dangerous from a cyber security point of view. Multiple providers offer software that allows for scanning images for such vulnerabilities and can be integrated into your Container Registry instance. Every instance comes with the two pre-installed vulnerability scanners: [Trivy](https://github.com/aquasecurity/trivy), the default one, and [Clair](https://github.com/quay/clair), both open-source. ## What Vulnerability Scanners Do Known cyber security vulnerabilities are pieces of the source code that can lead to security breaches. They are listed in the ever-growing database [**Common Vulnerabilities and Exposures List**](https://cve.mitre.org). Vulnerability scanners go through the underlying source code of a Docker image and check if some parts of it match the known vulnerabilities. Some of the vulnerabilities you can exclude from matching as explained [here](/docs/administration-manual/scanners/scanners-config.md#system-wide-cve-allowlists). As a system admin, you manage all scanners available in the instance. Project admins can select scanners for adding them to their projects as explained [here](/docs/user-manual/projects/configuration/_index.md#scanner-tab). Without any active intervention from you or from the project admins, all projects inherit the default system scanner as their active scanner.