Container image scanning

You can protect your container images with Sophos Cloud Optix.

A Docker container image is an unchangeable file that contains the source code, libraries, dependencies, tools, and other files needed for an application to run. Docker containers are based on Docker images, which can be stored in different types of registry.

Sophos Cloud Optix scans container images for operating system vulnerabilities to prevent threats from being introduced into your production environment. It can scan container images in the following locations:

  • Amazon Elastic Container Registry (ECR).
  • Microsoft Azure Container Registry (ACR).
  • Docker Hub registries.
  • IaC environments (Bitbucket and GitHub).
  • Images in your build pipeline.

Container Images lists the images and registries linked to Sophos Cloud Optix. You can see details of scans performed, images queued for scanning, and vulnerabilities detected. You can change the rules used for scanning, filter the list and export it in CSV format.

Click Images with fix available to identify images with known vulnerabilities that you can fix by installing updates. Click an image name for details of the relevant update.

To find out more about the rules Sophos Cloud Optix uses when scanning images, and how to create your own custom rules, see Working with container image rules.

How container image scanning works

Sophos Cloud Optix container image scanning is a Docker container analysis tool that automates image inspection.

When a container image is submitted to Sophos Cloud Optix, the service retrieves the image's metadata from the registry and pulls the image for analysis. Sophos Cloud Optix analyzes the image content (operating system packages, software libraries, and file content) and extracts metadata. This is checked with external security vulnerability data. The process is regularly repeated to ensure that image metadata is checked with up-to-date external data.

A submitted image is placed in a queue for an analyzer. In Scan Queue the image's status changes from Queued to Sent for scanning. It's removed from the scan queue within 24 hours. Images with the Invalid status are also removed within 24 hours.

Sophos Cloud Optix updates vulnerability information multiple times per day and automatically updates this information for each container image in Scanned Images.

If Sophos Cloud Optix sees that an image has changed after its initial scan, it's automatically submitted for re-scanning.

Running image scans

Depending on the type of image and repository, scans are controlled in the following ways:

  • New container images in ECR and ACR registries, and updates to existing images, are found and submitted for scanning when Sophos Cloud Optix scans their parent AWS or Microsoft Azure environments. You can change scan frequency, and run scans manually.
  • New container images in Docker Hub registries, and updates to existing images, are submitted for scanning hourly, by default. You can change scan frequency, and run scans manually.
  • Container images identified in Dockerfile and Docker Compose files in your GitHub and Bitbucket environments are submitted for scanning each time you run a git push command.
  • You can also submit images for scanning with the Sophos Cloud Optix REST API.

Each container image scanned by Sophos Cloud Optix counts as a cloud asset for licensing. You can see the list in Scanned Images.