Breadcrumbs

Unified Agent - Docker Image Scan Flow

It is no longer recommended to scan docker images using the Unified Agent. Instead please use the Mend CLI - Scan your container images with the Mend CLI

This article describes the full cycle of the Unified Agent Docker Image scan.

Docker Image Scan Flow

  • Read Configuration - After the scan is triggered the Unified Agent reads the configuration. The configuration priority is as follows:

    • Command line

    • Environment variables

    • Configuration file specified under "-c" parameter in the command line

    • Offline determined by offline=true in the configuration file

  • Docker Image Extraction - If docker.scanImages=true in the configuration file, the Unified Agent will look locally for the images specified under the docker.includes parameter. If docker.pull.enable=true, then the Unified Agent will look remotely for the images specified under the docker.pull.images parameter. Supported Remote location are:

    • Amazon (docker.aws.enable=true). ECR configuration options can be found here

    • Azure (docker.azure.enable=true). ACR configuration options can be found here

    • Artifactory (docker.artifactory.enable=true). Artifactory configuration options can be found here

    • Docker Hub (docker.hub.enabled=true). Docker Hub configuration options can be found here

    • Google (docker.gcr.enable=true). GCR configuration options can be found here

  • Resolver Detection - the Unified Agent runs the Package Manager Dependency resolvers on each layer of the docker image. To do that it searches for the manifest files, like pom.xml, package.json, build.gradle, requirements.txt, packages.config, go.mod and others. It then runs the relevant Package Manager commands to pull the list of the dependencies.

For a Java project where mvn.resolveDependencies=true and mvn.runPreStep=true, the Unified Agent will look for pom.xml and if found will execute 'mvn install' command to get the dependency tree

  • File System Scan Step (also known as a Flat Scan) - the Unified Agent scans each layer of the Docker image according to the provided includes/excludes parameter values in the configuration file (binary and source files).

If includes=**/*.js in the configuration file, then the Unified Agent scans the entire image looking for .js files and includes them into the update request file

  • Update Mend Inventory Step - The Unified Agent sends the update request to Mend servers, where Policies are checked, Source Files are mapped to the Source File Libraries and the inventory is updated

Docker Image configuration options can be found here

Due to the package manager resolvers and the filesystem scan occurring on every layer, it is best to copy your whole application into the container using one command, allowing everything to be scanned together on the same layer.