Windows Container Image Scanning [BETA]


Sysdig provides a standalone vulnerability scanning and policy engine for Windows containers called the Scanning Inspector. It can be used on both Windows and Linux hosts.


This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.


  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs

  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

Ways to Use

The Windows Scanning Inspector can be integrated into the CI/CD pipeline or deployed ad hoc during development.

CI/CD Pipeline

The image below shows how the Scanning Inspector fits within a development pipeline. A policy can pass or fail the workflow and provide a PDF or JSON report for each CI/CD job.


Ad Hoc Scanning

Developers can run the Windows Scanning Inspector anywhere Docker can be run: a machine (Mac, Windows, or Linux), VM, or Cloud. It provides immediate feedback on Windows OS or .NET vulnerabilities, allowing quick mitigation of known security vulnerabilities.



Request a Quay secret from Sysdig Support.

Install Scanning Inspector

  1. Use the provided secret to authenticate with Quay:

    PULL_SECRET="enter secret"
    AUTH=$(echo $PULL_SECRET | base64 --decode | jq -r '.auths."".auth'| base64 --decode)
    docker login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" 
  2. Pull the Scanning Inspector component for Windows or Linux:

    • Window Host/Kernel:

    • Linux Host/Kernel:

  3. Run the --help command to see the parameters available for the Scanning Inspector.

    docker run --rm -v $(pwd):/outdir --help

Parameters for Scanning Inspector

The --help command lists the available parameters and their usage. They can be divided into those related to scanning for vulnerabilities and generating a report, and those related to creating policies.






-f string

output format


pdf or json

Vuln scan

-i or -image_identifier string

identifier of the image



Vuln scan

-image_type string

image type


tar, daemon, pull

Vuln scan

-o string or -output string 

output file path


Vuln scan

-output_format string 

output format


pdf or json

Vuln scan


policy check for fix


Policy creation

-min_days_fix int

Minimum number of days once a fix for the specific vulnerability is available


default -1

Policy Creation

-min_severity string

Minimum severity to fail for policy evaluation


Policy creation


The image type


tar, daemon, pull

Use Cases

Scan Remote Image and Save PDF Report

In this example, the Inspector should scan a remote image on a Linux host and save the resulting report as a PDF to ./scanResults.pdf

docker run --rm -v $(pwd):/outdir \
  -t pull \ # pull image from remote repo
  -i \ # inspect container name
  -f pdf \ # format
  -o /outdir/scanResults.pdf # output name 

Scan Local Image Apply Policy Conditions and Generate JSON Report

In this example, the Inspector should:

  • Scan a local image on a Windows host

  • Apply a policy to specify vulnerabilities with a minimum severity of high and a minimum number of days after the vulnerability fix is available set to 7.

  • If the scan does not pass, the container will have an exit 1 error.

  • The report is in JSON

docker run --rm -v $(pwd):/outdir \
  -t daemon \ # Use local daemon for image scan
  -i nanoserver:10.0.17763.1518 # local image name
  -min_severity high # Any sev high or greater CVEs will fail the image scan policy
  -min_days_fix 7 # Only fail scan if found vulnerabilities have a fix for more than 7 days
  -f json \ # format
  -o /outdir/scanResults.json # output name