Container Scanning
Identify vulnerability and license issues in container images using the FOSSA CLI.
Overview
Container scanning lets you analyze container images for vulnerability and license issues alongside your standard FOSSA projects. The scanner inspects both OS-level dependencies (APK, DPKG, RPM) and application dependencies inside the image, and reports issues through the same policies and Security Issues page you use for source code projects. For setup instructions (supported base images, image sources, and CLI usage) see Containers.
Note
Container scanning is available on Business and Enterprise plans.
How container scanning works
The FOSSA CLI's container subcommand handles scanning. It accepts images from multiple sources (a local Docker engine, an exported archive, or any OCI-compatible registry) and uploads dependency metadata to FOSSA for analysis. No source code or file contents are sent.
Scans run in two steps:
- The base layer is scanned independently.
- All remaining layers are squashed and scanned together.
Issues are surfaced through your existing security and license policies, the same as any other FOSSA project. The Container Layer filter on the Security Issues page lets you scope results to specific layers.
What gets analyzed
The scanner detects OS package managers (Alpine APK, Debian DPKG, RedHat RPM) and a wide range of application package managers. Java JAR files embedded in layers are also detected and matched against FOSSA's vulnerability database.
For the full list of supported package managers and their support level, see the container scanner reference.
Getting started
Note
Container scanning requires FOSSA CLI. See the CLI installation guide for setup instructions.
The core workflow is two commands:
# Analyze the image and upload results to FOSSAfossa container analyze <IMAGE> # Check for issues against your policy (exits non-zero if issues are found)fossa container test <IMAGE><IMAGE> can be a Docker image name, a registry reference, or a path to an exported .tar archive. For detailed usage including private registries, Podman, Buildah, and CI integration examples, see:
- Container scanner reference: image sources, supported package managers, configuration, debugging, and FAQs
- Walkthrough: Integrating container scanning in CI: end-to-end examples with Docker, Podman, and Buildah