Docker Image Integration

Overview

You can scan Docker containers by running the Unified Agent in Docker mode using the docker.scanImages parameter.

In this mode, the Linux packages are detected, and a general scan of the image file system is performed for package managers' based resolution and identification of source files/binaries.

For scanning an RPM-based Docker container, RPM database compatibility between the container and the machine in which the scan is performed will increase the accuracy of the results.

Prerequisites

Docker installed
Unified Agent version 18.2.2 and above
The relevant package manager must be installed. For details, see Getting Started with the Unified Agent | Prerequisites.

When scanning a Docker image on Windows, the CMD tool must be executed with the 'Run as Administrator' option.

Configurations

Set the Boolean property docker.scanImages in the config file to true. This setting runs a docker images command in the background and parses the output line by line with the docker.includes and docker.excludes GLOB patterns in order to select which of the existing docker images to scan.
Set the GLOB pattern property for docker.includes and docker.excludes.
Set the Integer property 'archiveExtractionDepth' when you wish to extract archive files from the docker image.

NOTE: When the Unified Agent is configured with docker.scanImages=true, the non-docker excludes\includes parameters will not be ignored during the scan. Specifying settings in the non-docker includes\excludes parameters will only affect files that were detected through a fileSystemScan.

Example

docker.scanImages=true

docker.includes=.*alpine.*

docker.excludes=.*2017.10.01.* .*2017.06.01.*

The above example configures the Unified Agent to scan all the docker repositories named *alpine.* except for the 2 image tags in the 'excludes' section.

Alternatively, you can leave both the docker.includes and docker.excludes parameters commented out if you want to scan all your image containers.

The scanner saves your required images and scans all the file systems and installed packages.
It scans all the image layers, and handles archive files in the layers based on the value in the property 'archiveExtractionDepth'.

The Docker image is saved to the temporary directory defined in your environment and is deleted immediately after the scan.

The scanning results are displayed in a new Mend project. The docker.projectNameFormat parameter determines the format (only relevant when docker.scanTarFiles=False) :

If the value is set to default, the project name created in Mend comprises the Docker repository name, tag and ID, in the following format:

If the value is set to repositoryNameAndTag, then the project name created in Mend comprises the Docker repository name and tag, in the following format:

If the value is set to repositoryName, the project name comprises only the Docker repository name: