Scanning Artifacts
Read more about vulnerability scanning and how the health score is calculated here.
Running a System-Wide Scan
As a system administrator, you can scan all artifacts in your instance at once.
- Go to Administration;
- Click Interrogation Services;
- Select Vulnerability tab;
- Click Scan now.
This will set the whole process in motion. You can watch the progress.
Per-Artifact Scan Timeout
During a scan-all operation, the registry enforces a 3-minute timeout per artifact. If scanning a single artifact exceeds this limit, that artifact is marked as failed and the operation moves on to the next one. This prevents a slow or unresponsive artifact from exhausting database connections and blocking the entire scan-all job.
Artifact Types Submitted to the Scanner
Only artifact types with known-scannable content are submitted to Trivy. Signature and attestation artifacts — including cosign signatures, in-toto attestations, and DSSE envelopes — are automatically skipped and never sent to the scanner. This allowlist-based filtering replaces the previous skiplist approach and prevents scanner errors caused by non-tar-archive layers being submitted to Trivy.
Schedule a Scan
Inside the vulnerability tab, you can schedule a system-wide scan. It will scan all artifacts in all projects.
The scan can be set to run:
- hourly;
- daily;
- weekly;
- or on a custom schedule entered in the CRON format.
How to Scan Only Selected Artifacts
To do this, you need to go to a certain project to pick up artifacts.
- Click Projects in the navigation pane;
- Click on a project in the project overview);
- Click on a repository;
- Select artifacts;
- Optionally, filter artifacts;
- Click Scan.
