Container scanning is a process designed to identify security weaknesses within container images. These vulnerabilities can arise from outdated software or packages. SOOS container scanning works very similarly to SOOS SCA, however, instead of analyzing manifest files, the contents of a container image are analyzed. The main steps involved in container scanning include:
- Container Image Analysis: SOOS inspects container images to identify software, libraries, and packages contained within the image.
- Dependency Tree Creation: After identifying directly referenced software and packages, SOOS’s patented dependency resolution engine builds the full dependency tree and calculates package introduction paths.
- Vulnerability Matching: Using the full set of packages and dependencies, SOOS matches packages to vulnerabilities.
- License Matching: Using the full set of packages and dependencies, SOOS matches packages to licenses, allowing for license management via SOOS's Governance engine.
- Governance Policies: SOOS’s suite of governance policies may be run against the packages and licenses identified during container image analysis.
- Issue Creation: Issues are created for any vulnerabilities, governance policies, unknown packages, and more.
- Report Generation: Reports for each analyzed container image are created and accessible via the SOOS Developer, Legal, Security, and Compliance dashboards.