You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow our [roadmap](https://roadmap.codacy.com) for updates on this feature.
681
+
682
+
## Container scanning {: id="container-scanning"}
683
+
684
+
Container Scanning is a technique to scan your container image's dependencies for known vulnerabilities. The **Security and risk management > App scanning** page allows you to setup scans that run automatically every night, and surface actionable security findings as new vulnerabilities get discovered.
685
+
686
+
### How our Container Image Scanning Works
687
+
688
+
The security tool analyzes your upload SBOM (Software Bill of Materials) files to find vulnerabilities in your container images. An SBOM of a container lists all the dependencies included in the image, which in turn allows the scanner to search for known vulnerabilities (CVEs).
689
+
690
+
#### High-level flow
691
+
1. Image SBOMs are received either via CI/CD integration or manual upload
692
+
2. The image dependencies are scanned against Trivy's vulnerability databases
693
+
3. Results appear in the UI after processing
694
+
695
+
#### Scan Frequency
696
+
1. Proactive scans run automatically once per day
697
+
2. Scans are executed every night (UTC) and the findings are updated automatically
698
+
699
+
No manual action is required to trigger scans after the initial setup.
700
+
701
+
### Container scanning setup
702
+
703
+
You can set up container scanning in one of two ways: by connecting your CI/CD pipeline or by importing your container image manually. Once configured, your image dependencies are scanned daily and results will appear in the Image card list.
704
+
705
+
#### CI/CD Integration
706
+
You must authenticate the Codacy CLI so your pipeline can securely send your image SBOM to Codacy.
707
+
708
+
709
+
710
+
In order to do that, you need to:
711
+
Get the API token and set up the environment variable as showed in the UI;
712
+
Install and run Codacy CLI in your pipeline to upload results.
713
+
714
+
When CI/CD is configured:
715
+
Images pushed through your pipeline are automatically detected
716
+
New tags are picked up as they are published
717
+
Scans are scheduled automatically
718
+
719
+
This is the recommended setup for continuous coverage.
720
+
721
+
#### Manual Upload
722
+
You can also manually upload your container's Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
723
+
724
+
725
+
726
+
In order to do that, you need to:
727
+
1. Add an image name;
728
+
2. Add an image tag;
729
+
3. Upload your container image file.
730
+
1. Environment and repository fields are optional.
731
+
732
+
!!! note
733
+
You can use the [Codacy CLI v2](https://github.com/codacy/codacy-cli-v2) to generate and upload your SBOM file to Codacy.
734
+
735
+
736
+
737
+
### Image card list
738
+
739
+
The Image card list provides an overview of all container images and their last added tag.
740
+
741
+
742
+
743
+
For each image, you can see:
744
+
- Image name
745
+
- The most recent tag pushed for this image
746
+
- Options and entry point to check all image tags.
747
+
748
+
By clicking the card for a specific image, you will see a list of all tags for that image.
749
+
750
+
751
+
752
+
For the image tags, the list is sorted by latest uploaded, and the information includes:
753
+
- Tag used
754
+
- Environment (optional field)
755
+
- Last analysis: Date of the last scan for that tag
756
+
- Button to delete that image tag
757
+
758
+
Once a tag is scanned, you can click on the `check findings` link to access the findings page filtered by the respective results.
759
+
760
+
!!! important
761
+
Findings are tied to specific image tags. To resolve a finding, "bump" the tag to a newer version if a fixed version exists (if not, a downgrade or an alternative image may be required).
762
+
For dynamic tags such as latest, Codacy will automatically close findings that are no longer present in the current analysis. If you use static tags, you will need to delete tags that are no longer used, as we have a limit of 1000 tags per organization.
763
+
764
+
### Deleting container image files from Codacy
765
+
766
+
767
+
768
+
What happens when you delete an image:
769
+
- The image is permanently removed
770
+
- All associated image tags are deleted
771
+
- Scan history and results for that image are removed
772
+
773
+
!!! important
774
+
This action cannot be undone.
775
+
You can also delete a specific tag inside an image card.
776
+
777
+
### No Results Yet
778
+
779
+
If there is no last analysis date for an image tag, it means that the SBOM file was received but the scan has not been completed yet. The most likely scenario is that an analysis hasn't been executed yet.
780
+
!!! note
781
+
Remember that scans run nightly (UTC). If you just uploaded the SBOM file, but need results immediately consider using our [Codacy CLI v2](https://github.com/codacy/codacy-cli-v2) to run a local analysis to scan for any issues.
0 commit comments