Container image scanning

Find out how Sophos Cloud Optix protects your container images.

A Docker container image is an unchangeable file that contains the source code, libraries, dependencies, tools, and other files needed for an application to run. Docker containers are based on Docker images, which can be stored in different types of registry.

Sophos Cloud Optix scans container images for operating system vulnerabilities to prevent threats from being introduced into your production environment. It can scan container images in the following locations:

  • Amazon Elastic Container Registry (ECR).
  • Microsoft Azure Container Registry (ACR).
  • Docker Hub registries.
  • IaC environments (Bitbucket and GitHub).
  • Images in your build pipeline.

In Sophos Cloud Optix, Container Images lists the images and registries linked to Sophos Cloud Optix. You can see details of scans performed, images queued for scanning, and vulnerabilities detected. You can filter the list and export it in CSV format.

Click Images with fix available to identify images with known vulnerabilities that you can fix by installing updates. Click an image name for details of the relevant update.

Running image scans

Depending on the type of image and repository, scans are controlled in the following ways:

  • New container images in ECR and ACR registries, and updates to existing images, are found and submitted for scanning when Sophos Cloud Optix scans their parent AWS or Microsoft Azure environments. You can change scan frequency, and run scans manually.
  • New container images in Docker Hub registries, and updates to existing images, are submitted for scanning hourly, by default. You can change scan frequency, and run scans manually.
  • Container images identified in Dockerfile and Docker Compose files in your GitHub and Bitbucket environments are submitted for scanning each time you run a git push command.
  • You can also submit images for scanning with the Sophos Cloud Optix REST API.

Each container image scanned by Sophos Cloud Optix counts as a cloud asset for licensing. You can see the list in Scanned Images.

How container image scanning works

Sophos Cloud Optix container image scanning is a Docker container analysis tool that automates image inspection.

When a container image is submitted to Sophos Cloud Optix, the service retrieves the image's metadata from the registry and pulls the image for analysis. Sophos Cloud Optix analyzes the image content (operating system packages, software libraries, and file content) and extracts metadata. This is checked with external security vulnerability data. The process is regularly repeated to ensure that image metadata is checked with up-to-date external data.

Images submitted for scanning queue for an analyzer. You can see an image's progress in Scan Queue.

When an image is submitted for scanning, its status changes its status changes from Queued to Sent for scanning and it's removed from Scan Queue within 24 hours. Images with the Invalid status are also removed within 24 hours.

Sophos Cloud Optix container image scanning uses regularly updated security vulnerability and package data from multiple sources, including:

  • Security advisories from Linux distribution vendors for distribution-specific packages (Alpine Linux, CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux, Ubuntu).
  • Package repository information from RubyGems and npm.
  • NIST National Vulnerability Database (NVD).

Sophos Cloud Optix updates vulnerability information multiple times per day and automatically updates vulnerability information for each container image in Scanned Images. This doesn't require repeat image scans.

If Sophos Cloud Optix sees that an image has changed after its initial scan, it's automatically submitted for re-scanning.