Common scenarios & recipes

Scan local image, built using docker

#Build the image locally
docker build -t <image-name> .

#Scan the image, available on local docker. Mounting docker socket is required
docker run --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \
    quay.io/sysdig/secure-inline-scan:2 \
    --sysdig-url <omitted> \
    --sysdig-token <omitted> \
    --storage-type docker-daemon \
    --storage-path /var/run/docker.sock \
    <image-name>

Local image (provided docker archive)

Assuming the image <image-name> is available as an image tarball at image.tar.

For example, the command docker save <image-name> -o image.tar creates a tarball for <image-name>.

docker run --rm \
    -v ${PWD}/image.tar:/tmp/image.tar \
    quay.io/sysdig/secure-inline-scan:2 \
    --sysdig-url <omitted> \
    --sysdig-token <omitted> \
    --storage-type docker-archive \
    --storage-path /tmp/image.tar \
    <image-name>

Public registry image

Example: scan alpine image from public registry. The scanner will pull and scan it.

docker run --rm \
    quay.io/sysdig/secure-inline-scan:2 \
    --sysdig-url <omitted> \
    --sysdig-token <omitted> \
    alpine

Private registry image

To scan images from private registries, you might need to provide credentials:

docker run --rm \
    quay.io/sysdig/secure-inline-scan:2 \
    --sysdig-url <omitted> \
    --sysdig-token <omitted> \
    --registry-auth-basic <user:passw> \
    <image-name>

Authentication methods available are:

Containers-storage (cri-o, podman, buildah and others)

Scan images from container runtimes using containers-storage format:

#Build an image using buildah from a Dockerfile
buildah build-using-dockerfile -t myimage:latest

#Scan the image. Options '-u root' and '--privileged' might be needed depending
#on the access permissions for /var/lib/containers
docker run \
    -u root --privileged \
    -v /var/lib/containers:/var/lib/containers \
    quay.io/sysdig/secure-inline-scan:2 \
    --storage-type cri-o \
    --sysdig-token <omitted> \
    localhost/myimage:latest

Example for an image pulled with podman

podman pull docker.io/library/alpine

#Scan the image. Options '-u root' and '--privileged' might be needed depending
#on the access permissions for /var/lib/containers
docker run \
    -u root --privileged \
    -v /var/lib/containers:/var/lib/containers \
    quay.io/sysdig/secure-inline-scan:2 \
    --storage-type cri-o \
    --sysdig-token <omitted> \
    docker.io/library/alpine

Using a proxy

To use a proxy, set the standard http_proxy and https_proxy variables when running the container.

Example:

docker run --rm \
    -e http_proxy="http://my-proxy:3128" \
    -e https_proxy="http://my-proxy:3128" \
    quay.io/sysdig/secure-inline-scan:2 \
    --sysdig-url <omitted> \
    --sysdig-token <omitted> \
    alpine

Both http_proxy and https_proxy variables are required, as some tools will use per-scheme proxy.

The no_proxy variable can be used to define a list of hosts that don’t use the proxy.

Other integrations and examples

In this repository you can find the following examples in alphabetical order:

Other sources of information

The following content is related to inline scanning, and lives outside this repository.

Integrations

These integrations have a specific entry in their respective CI/CD catalogs:

Documentation pages

Official documentation pages must be current to the features provided by the inline scanner, but their explanations may be brief:

Blog articles

Blog articles contain detailed step by step information, but may be out of date respect their current implementations:

Contributing

If you find a related topic lacks enough information, or some problem with any of the existing examples, please file a issue in this repository. Pull requests to ammend any existing information or examples are also welcomed.