Containers

Scan Docker and OCI container images for open source license and vulnerability issues.

2 min readUpdated Jul 9, 2026

Overview

Container scanning identifies open source license and vulnerability issues inside your container images. It follows the same FOSSA CLI conventions as a normal analysis, so it's familiar if you already run fossa analyze.

Running a scan

Set your API key and point the CLI at a local Docker image, an OCI image archive, or a remote image reference:

Shell
FOSSA_API_KEY=<your_api_key> \fossa container analyze <your image: docker | image.tar>

Large images may take a minute to analyze. Container scanning accepts the same arguments as fossa analyze, for example --title, --team, and --policy. Run fossa container analyze --help, or see the container subcommand reference for the full list of flags.

Supported base images

FOSSA supports most popular base images and any container built on them:

Package managerDistributions
Apt / Apt-GetDebian, Ubuntu
RPM / YumCentOS, Oracle Linux, Fedora, SLES (beta)
ApkAlpine, Wolfi

Because Wolfi is supported, fossa container analyze also scans Chainguard images.

Note

FOSSA does not raise a "Container OS is not supported" error. Distributions not listed above can still analyze successfully; it just isn't guaranteed.

How FOSSA finds your image

You don't need to specify the image type: FOSSA accepts either a Docker image straight from your local Docker application or a Docker-format image archive on disk, and detects which it's working with.

Docker images and registries

When given a Docker image name, FOSSA requests the image from Docker and parses it, accepting images in exactly the same form as docker pull: first your local Docker repository, then Docker Hub, then any registries you've authenticated to with docker login. You can also pull directly from a repository, for example, fossa container analyze quay.io/coreos/dnsmasq.

Exported image archives

FOSSA reads exported image archives from your filesystem. The archive must be in Docker format (containing a top-level manifest.json), as produced by docker save or docker image save. Scan it exactly as you would a Docker image.

FOSSA does not read OCI-layout archives directly from disk. An OCI-layout archive has an oci-layout marker plus index.json and blobs/, with no top-level manifest.json, so scanning it fails with TarballFileNotFound: "manifest.json". Tooling such as Buildah or Packer can emit this layout, so either convert to Docker format first (for example, buildah push <image> docker-archive:image.tar, or build with --format=docker) or pull the image from a registry instead.

© 2026 FOSSA, Inc.support@fossa.com