Integrating Container Scanning in CI
Run container image analysis and policy tests in a generic CI pipeline.
2 min readUpdated Jul 9, 2026
Overview
Scenario:
As a development team we want to analyze container image for vulnerability and compliance issues as part of the CI process.
Analyze
Use the fossa container analyze <IMAGE> command.
With Docker:
Shell
docker build . -t <IMAGE>fossa container analyze <IMAGE> # Alternately, export the image to an archive and analyze that for maximal performance. ## >> docker save -o image.tar <IMAGE># >> fossa container analyze image.tarWith Podman:
Shell
podman build . -t <IMAGE>fossa container analyze <IMAGE> # Alternately, export the image to an archive and analyze that for maximal performance. ## >> podman save <IMAGE> --format docker-archive -o image.tar # >> fossa container analyze image.tarWith Buildah:
Shell
buildah bud --format=docker -f Dockerfile -t <IMAGE> .buildah push <IMAGE> docker-archive:image.tar fossa container analyze image.tarTest
Use the fossa container test <IMAGE> command to test a previously analyzed image. This command exits with a non-zero exit code if issues are discovered.
Shell
fossa container test <IMAGE>Example
Prerequisite
Dockerfile:
Dockerfile
FROM alpine:latest RUN apk add tree python3 py3-pipCOPY ./app ./app RUN pip install -r ./app/reqs.txtapp/reqs.txt:
# app/reqs.txt
flaskWith Docker
Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Builddocker build -t "$TAG" -build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" . # Analyze and test image for security and compliance issuesfossa container analyze "$TAG"fossa container test "$TAG" # Push image to registrydocker push "$TAG"With Podman
Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Buildpodman build . -t "$TAG" --build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" . # Analyze and test image for security and compliance issuesfossa container analyze "$TAG"fossa container test "$TAG" # Push image to registrypodman push "$TAG"With Buildah
Shell
VERSION="1.0.0" # or git commit hash: VERSION=$(git log -1 --pretty=%h)REPO="core-app:"TAG="$REPO$VERSION"BUILD_TIMESTAMP=$( date '+%F_%H:%M:%S' ) # Buildbuildah bud --format=docker -f Dockerfile --build-arg VERSION="$VERSION" --build-arg BUILD_TIMESTAMP="$BUILD_TIMESTAMP" -t "$TAG" .buildah push "$TAG" docker-archive:image.tar # Analyze and test image for security and compliance issuesfossa container analyze image.tarfossa container test image.tarrm image.tar