Containers
Scan Docker and OCI container images for open source license and vulnerability issues.
Overview
Container scanning identifies open source license and vulnerability issues inside your container images. It follows the same FOSSA CLI conventions as a normal analysis, so it's familiar if you already run fossa analyze.
Running a scan
Set your API key and point the CLI at a local Docker image, an OCI image archive, or a remote image reference:
FOSSA_API_KEY=<your_api_key> \fossa container analyze <your image: docker | image.tar>Large images may take a minute to analyze. Container scanning accepts the same arguments as fossa analyze, for example --title, --team, and --policy. Run fossa container analyze --help, or see the container subcommand reference for the full list of flags.
Supported base images
FOSSA supports most popular base images and any container built on them:
| Package manager | Distributions |
|---|---|
| Apt / Apt-Get | Debian, Ubuntu |
| RPM / Yum | CentOS, Oracle Linux, Fedora, SLES (beta) |
| Apk | Alpine, Wolfi |
Because Wolfi is supported, fossa container analyze also scans Chainguard images.
Note
FOSSA does not raise a "Container OS is not supported" error. Distributions not listed above can still analyze successfully; it just isn't guaranteed.
How FOSSA finds your image
You don't need to specify the image type: FOSSA accepts either a Docker image straight from your local Docker application or a Docker-format image archive on disk, and detects which it's working with.
Docker images and registries
When given a Docker image name, FOSSA requests the image from Docker and parses it, accepting images in exactly the same form as docker pull: first your local Docker repository, then Docker Hub, then any registries you've authenticated to with docker login. You can also pull directly from a repository, for example, fossa container analyze quay.io/coreos/dnsmasq.
Exported image archives
FOSSA reads exported image archives from your filesystem. The archive must be in Docker format (containing a top-level manifest.json), as produced by docker save or docker image save. Scan it exactly as you would a Docker image.
FOSSA does not read OCI-layout archives directly from disk. An OCI-layout archive has an oci-layout marker plus index.json and blobs/, with no top-level manifest.json, so scanning it fails with TarballFileNotFound: "manifest.json". Tooling such as Buildah or Packer can emit this layout, so either convert to Docker format first (for example, buildah push <image> docker-archive:image.tar, or build with --format=docker) or pull the image from a registry instead.