Integrating Container Scanning in CI

Run container image analysis and policy tests in a generic CI pipeline.

2 min readUpdated Jul 9, 2026

Overview

Scenario:

As a development team we want to analyze container image for vulnerability and compliance issues as part of the CI process.

Analyze

Use the fossa container analyze <IMAGE> command.

With Docker:

Shell
docker build . -t <IMAGE>fossa container analyze <IMAGE> # Alternately, export the image to an archive and analyze that for maximal performance. ## >> docker save -o image.tar <IMAGE># >> fossa container analyze image.tar

With Podman:

Shell
podman build . -t <IMAGE>fossa container analyze <IMAGE> # Alternately, export the image to an archive and analyze that for maximal performance. ## >> podman save <IMAGE> --format docker-archive -o image.tar # >> fossa container analyze image.tar

With Buildah:

Shell
buildah bud --format=docker -f Dockerfile -t <IMAGE> .buildah push <IMAGE> docker-archive:image.tar fossa container analyze image.tar

Test

Use the fossa container test <IMAGE> command to test a previously analyzed image. This command exits with a non-zero exit code if issues are discovered.

Shell
fossa container test <IMAGE>

Example

Prerequisite

Dockerfile:

Dockerfile
FROM alpine:latest RUN apk add tree python3 py3-pipCOPY ./app ./app RUN pip install -r ./app/reqs.txt

app/reqs.txt:

# app/reqs.txt
flask

With Docker

Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Builddocker build -t "$TAG" -build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" .  # Analyze and test image for security and compliance issuesfossa container analyze "$TAG"fossa container test "$TAG" # Push image to registrydocker push "$TAG"

With Podman

Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Buildpodman build . -t "$TAG" --build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" .  # Analyze and test image for security and compliance issuesfossa container analyze "$TAG"fossa container test "$TAG" # Push image to registrypodman push "$TAG"

With Buildah

Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Buildbuildah bud --format=docker -f Dockerfile --build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" -t "$TAG" .buildah push "$TAG" docker-archive:image.tar # Analyze and test image for security and compliance issuesfossa container analyze image.tarfossa container test image.tarrm image.tar
© 2026 FOSSA, Inc.support@fossa.com