Unified Agent - Docker Image Scan Flow
It is no longer recommended to scan docker images using the Unified Agent. Instead please use the Mend CLI - Scan your container images with the Mend CLI
This article describes the full cycle of the Unified Agent Docker Image scan.
Docker Image Scan Flow
Read Configuration - After the scan is triggered the Unified Agent reads the configuration. The configuration priority is as follows:
Command line
Environment variables
Configuration file specified under "-c" parameter in the command line
Offline determined by
offline=true
in the configuration file
Docker Image Extraction - If
docker.scanImages=true
in the configuration file, the Unified Agent will look locally for the images specified under thedocker.includes
parameter. Ifdocker.pull.enable=true
, then the Unified Agent will look remotely for the images specified under thedocker.pull.images
parameter. Supported Remote location are:Amazon (
docker.aws.enable=true
). ECR configuration options can be found hereAzure (
docker.azure.enable=true
). ACR configuration options can be found hereArtifactory (
docker.artifactory.enable=true
). Artifactory configuration options can be found hereDocker Hub (
docker.hub.enabled=true
). Docker Hub configuration options can be found hereGoogle (
docker.gcr.enable=true
). GCR configuration options can be found here
Resolver Detection - the Unified Agent runs the Package Manager Dependency resolvers on each layer of the docker image. To do that it searches for the manifest files, like pom.xml, package.json, build.gradle, requirements.txt, packages.config, go.mod and others. It then runs the relevant Package Manager commands to pull the list of the dependencies.
For a Java project where mvn.resolveDependencies=true
and mvn.runPreStep=true
, the Unified Agent will look for pom.xml and if found will execute 'mvn install
' command to get the dependency tree
File System Scan Step (also known as a Flat Scan) - the Unified Agent scans each layer of the Docker image according to the provided includes/excludes parameter values in the configuration file (binary and source files).
If includes=**/*.js
in the configuration file, then the Unified Agent scans the entire image looking for .js files and includes them into the update request file
Update Mend Inventory Step - The Unified Agent sends the update request to Mend servers, where Policies are checked, Source Files are mapped to the Source File Libraries and the inventory is updated
Docker Image configuration options can be found here
Due to the package manager resolvers and the filesystem scan occurring on every layer, it is best to copy your whole application into the container using one command, allowing everything to be scanned together on the same layer.