Container Scanning
Recommended for Technical Users
This method requires use of a Command Line Interface and knowledge of your codebase. If you're not a developer yourself, we recommend getting a developer to help you
FOSSA's Container Scanning tool helps you mitigate open source risk by identifying vulnerability and license issues in your container images. Our Container Scanning tool fits into the work flows you already know and use with FOSSA from our CLI tools to our Web Interface.
Supported Base Containers
FOSSA's container scanning supports most popular base images, and any containers that use those base images. Please find our complete list of supported base containers below:
Package Manager | Distribution |
---|---|
Apt / Apt-Get | Debian, Ubuntu |
RPM / Yum | Redhat, Centos, Oraclelinux, Fedora, SLES (in beta) |
Apk | Alpine |
It's possible distributions not listed here will analyze successfully, but it's not guaranteed.
Tool Requirements
The Container Scanning tool is built into FOSSA's CLI (version 2+) tool and does not require any additional tools from FOSSA. If you do not have FOSSA CLI, follow the instructions below to install it.
Otherwise, you can skip to Using Container Scanning
Note: Container Scanning features are supported on Linux and MacOS
Getting latest FOSSA CLI
To Get started with latest FOSSA CLI Version, use this one-liner terminal command (Windows, Mac, Linux) or download directly from our Releases page:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))
Using Container Scanning
Container Scanning follows existing FOSSA CLI convention and should be intuitive if you're familiar with the tool. For additional information on FOSSA CLI you can find our documentation on GitHub.
To run a scan :
FOSSA_API_KEY=<your_api_key>
fossa container analyze <your image: docker|oci.tar>
It may take a minute to run, if your images are large.
Running a scan will look like this:

Container scanning will take any arguments fossa analyze
is able too, such as, --title
, --team
, and --policy
. To see a full list of these arguments you can use fossa container analyze --help
or you can find our documentation on GitHub.
Where do we get your images from?
FOSSA is able to ingest either docker images - straight from your local docker application, or an OCI formatted image archive. No arguments are required to specify which kind of image you are using.
FOSSA will also be able to use any remote or private docker registries through dockers native authentication path using docker login
.

Using docker images and registries
FOSSA uses docker to pull local and remote images easily and securely. When provided a docker image name, FOSSA CLI will request the image from the Docker application and begin to parse it.
FOSSA will accept images in exactly the same format as docker pull
. Like docker, FOSSA will first attempt to pull images from your local docker repository, then from docker hub, then from any registries you've logged into. FOSSA will also accept images directly from a repository. For example, fossa container analyze quay.io/coreos/dnsmasq

Using OCI images
FOSSA supports OCI (Open Container Initiative) formatted images on your file system natively. OCI images can be generated from docker by using docker image save
or by using your favorite image infrastructure such as Packer or Buildah.
Once you have an image, you may scan your OCI image just as you would a docker image in FOSSA.

Updated 11 months ago