About container scanning

Container scanning improves the user experience for managing risk found in containers enabling you to manage the risk by container layer. When scanning a container using this feature, Black Duck creates a new type of project that manages a new container scan. The container project displays the aggregated BOM and risk, but it also provides a way to view risk layer by layer, specifically adding support for components that are added or removed on a layer.

Note: In order to take advantage of this feature, you must have Black Duck Secure Container (BDSC) enabled on your product registration key.

How do I perform a container scan?

Container scans are performed with Detect by using the following option during a scan:

--detect.tools=CONTAINER_SCAN

See Container Scanning in the Detect documentation for more information on the container scanning process.

What is a container layer?

When Docker builds an image, the image is composed of layers which represent a specific modification to the container. These modifications can include commands such as RUN, COPY, FROM, etc.

What is a container project?

The output of a container scan automatically creates a container project in Black Duck and associates the scan to the project as a project version. This project version cannot have any other type of scan type. Multiple container scans can be mapped to a single project version.

The following are valid combinations of scans (code locations) that can be mapped to single project version:

Any combination of non-container scans mapped to project version.
One or many container scans mapped to project version.
One or many container scans along with one or many IaC/Malware scans mapped to the same project version.

All other combinations of mapped code locations are invalid and the scan process will fail if the mapping of corresponding code location will result in invalid combination.

When you open the resulting BOM, the project's header will indicate that it is a container project:

To view the containers mapped to this project version, click the Containers button button. This will open a search model from which you can either type the name of the container you want to view or you can select it from the presented list.

What is in a container project BOM?

The BOM created during a container scan is, in many ways, the same as a regular BOM generated by other scanning processes with a few differences:

The left side of the container scan BOM displays a list of components found by layer.

Here you can find more details on security risks found throughout the container. By defaut, only the layers with security risks will be displayed but you can check the Show Empty checkbox for a complete list of all layers in the container.

Layers containing security risks display the following information:
- The layer where the security risks are found.
- The count of components with critical, high, medium, low, or no security risks.
- The file size of the layer.
- The number of components added or removed from the container.
Clicking the individual layers updates the table in the right-hand pane which displays specific details on the components and security risks found on that layer. On layers where components have been removed, the removed components will be grayed out indicating that no action is required to remedy this security risk.
The container scan BOM does not have a Source tab which would allow you to manage the files associated with BOM components.

What can I do with a container scan BOM?

As mentioned above, a container scan BOM is much like a regular BOM. For more information on how to manage the information in a BOM, please see Understanding the information in a project version's BOM.