SourceClear Container Scanning

SourceClear Software Composition Analysis

Container scanning extends the SourceClear vulnerability database and Software Composition Analysis (SCA) technology to system libraries in Docker containers. SourceClear supports container scanning for the CentOS and RHEL 7 Linux distributions using yum.

The Docker images you intend to scan must have Python and yum installed, and a yum update must be possible without root privileges.

Note: SourceClear only supports official RHEL Docker images, which require a RHEL subscription.

Command-Line Interface Scanning

Images

To scan a Docker image, use --image:

$ docker images --format '{{.Repository}}:{{.Tag}}'
centos:7
 
$ srcclr scan --image centos:7

Containers

To scan a container running locally, pass the container ID or name to --container:
$ docker ps --format '{{.ID}}'
2ca861ab7e85
  srcclr scan --container 2ca861ab7e85 
 
$ docker ps --format '{{.Names}}'
compassionate_shirley
 
$ srcclr scan --container compassionate_shirley 
Note: The following repository-specific features are not available for container scanning:
  • SCM-specific concepts such as branches
  • Vulnerable methods
  • Lines of code

Continuous Integration Scanning

To scan a Docker image using the continuous integration (CI) agent, modify the existing cURL script for the SourceClear agent to:
curl -sSL https://download.sourceclear.com/ci.sh | bash -s scan --image <image name>
Note: The Travis CI addon, which does not use this cURL script, does not currently support scanning Docker images.

Viewing Container Scanning Results

After your SourceClear scan is complete, you can view the vulnerabilities in your container from the project level.