Windows Container Image Scanning [BETA]
This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use
Overview
Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.
This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.
Features
Identify Windows container image vulnerabilities from:
- Windows OS CVEs
Windows or Linux hosts
Reports in JSON and PDF
Policy support
Severity
Fix available
Days since fixed
Ways to Use
The Windows Scanning Inspector can be integrated into the CI/CD pipeline or deployed ad hoc during development.
CI/CD Pipeline
The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.
Ad Hoc Scanning
Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), VM, or Cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.
Installation
Prerequisites
Request a Quay secret from your Sysdig sales agent.
Install Scanning Inspector
Use the provided secret to authenticate with Quay:
PULL_SECRET="enter secret" AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."quay.io".auth'| base64 --decode) QUAY_USERNAME=${AUTH%:*} QUAY_PASSWORD=${AUTH#*:} docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" quay.io
Pull the Scanning Inspector component for Windows or Linux:
Window Host/Kernel:
quay.io/sysdig/scanning-inspector-windows:latest
Linux Host/Kernel: :
quay.io/sysdig/scanning-inspector-linux:latest
Run the
--help
command to see the parameters available for the Scanning Inspector.docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest --help
Parameters for Scanning Inspector
The --help
command lists the available parameters and their usage.
They can be divided into those related to scanning for vulnerabilities
and generating a report, and those related to creating policies.
Flag | Description | Required | Argument | Type |
---|---|---|---|---|
-f string | output format | yes | pdf or json | Vuln scan |
-i or -image_identifier string | identifier of the image | yes | [my_image:my_tag] | Vuln scan |
-image_type string | image type | yes | tar, daemon, pull | Vuln scan |
-o string or -output string | output file path | yes | Vuln scan | |
-output_format string | output format | yes | pdf or json | Vuln scan |
-fix_available | policy check for fix | no | Policy creation | |
-min_days_fix int | Minimum number of days once a fix for the specific vulnerability is available | no | default -1 | Policy Creation |
-min_severity string | Minimum severity to fail for policy evaluation | no | Policy creation | |
t-string | The image type | yes | tar, daemon, pull |
Use Cases
Scan Remote Image and Save PDF Report
In this example, the Inspector should scan a remote image on a Linux
host and save the resulting report as a PDF to ./scanResults.pdf
docker run --rm -v $(pwd):/outdir quay.io/sysdig/scanning-inspector-linux:latest \
-t pull \ # pull image from remote repo
-i mcr.microsoft.com/windows/nanoserver:10.0.17763.1518 \ # inspect container name
-f pdf \ # format
-o /outdir/scanResults.pdf # output name
Scan Local Image Apply Policy Conditions and Generate JSON Report
In this example, the Inspector should:
Scan a local image on a Windows host
Mount the Docker socket to access the local image. This can be done with
-v "//./pipe/docker_engine://./pipe/docker_engine"
in WindowsApply a policy to specify vulnerabilities with a minimum severity of
high
and a minimum number of days after the vulnerability fix is available set to7
.If the scan does not pass, the container will have an
exit 1
error.The report is in JSON
docker run --rm -v $(pwd):/outdir -v "//./pipe/docker_engine://./pipe/docker_engine" quay.io/sysdig/scanning-inspector-windows:latest \
-t daemon \ # Use local daemon for image scan
-i nanoserver:10.0.17763.1518 # local image name
-min_severity high # Any sev high or greater CVEs will fail the image scan policy
-min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
-f json \ # format
-o /outdir/scanResults.json # output name
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.