Scan OCI Images
Scan container images for known vulnerabilities and generate a Software Bill of Materials (SBOM).
Prerequisites
Before you begin, ensure you have:
- Docker installed on your system
- A personal access token from DevGuard (create one in user settings)
- A repository created in DevGuard
Scan Container Images
Scan a container image directly from a public registry:
What the Scanner Does
- Generates SBOM: Creates a complete inventory of all software components in your container
- Discovers Attestations: Automatically extracts relevant attestations (e.g., VEX documents) from base images
- Uploads Data: Sends the SBOM and discovered attestations to DevGuard
- Server-Side Scanning: DevGuard analyzes all components against its vulnerability database and returns results
Verify it worked: Navigate to your repository in DevGuard. You'll see detected vulnerabilities listed with severity scores, affected components, and fix recommendations.
CI/CD Integration
For automated container scanning in CI/CD pipelines, DevGuard provides ready-to-use integrations:
- GitHub Actions: See Scan with GitHub Actions for setup instructions
- GitLab CI: See Scan with GitLab CI for setup instructions
Advanced Options
Fail the command based on risk level:
Skip attestation discovery from the container image:
Ignore external references in attestations:
Specify an artifact name (useful for tracking multiple artifacts like a oci image with a CLI and one with the App per repository):
Set a custom origin to track scan source:
Specify Git reference information: