Docs · Tools
Container Scanner
Know what is inside your images before they ship. The Container Scanner uses Trivy to find known CVEs in OS packages and application dependencies, so a vulnerable base image never reaches production unnoticed.
- Category
- Cloud & Container
- Powered by
trivy- Edition
- Pro
- Where
- Desktop → Container Scanner tab
What it does
Point it at a container image and it inventories every package, then checks each against Trivy's vulnerability database. You get a prioritized list of CVEs with severity and the fixed version — the same shift-left check you would run in CI, available on your desktop.
- OS packages — distro packages in the image (apk/apt/yum, …).
- App dependencies — language libraries (npm, pip, gem, …) baked into the image.
- Severity & fixes — each finding carries a severity and the version that fixes it.
How to use it
1
Choose an image
Enter an image reference you can pull or that exists locally.
text
Image: myapp:1.4.2
Image: node:18-alpine2
Scan
Run the scan; Trivy resolves packages and matches them to known CVEs.
3
Triage by severity
Start with Critical/High that have a fix available — those are the quickest wins.
4
Rebuild & re-scan
Bump the base image or dependency, rebuild, and scan again to confirm the CVE is gone.
Modes & options
- Image target — local or pullable image reference.
- Severity focus — concentrate on fixable Critical/High first.
What you get
A CVE report per image: package, installed version, severity, and the fixed version. Use it to keep base images current and to gate releases on a clean scan.
Tips
- Prefer slim/distroless base images — fewer packages means fewer CVEs.
- Re-scan on every base-image bump; new CVEs are published constantly.
- Pair with the SecOps
Cloud (CSPM)pillar for runtime cloud posture.
Defensive by design. Container scanning is a purely defensive check on images you build or run. No exploitation is performed — it only reports known vulnerabilities and their fixes.