7 Scanning Container Images and Containers

To scan containers or container images, use the oscap-podman command. The oscap-podman command assesses vulnerabilities in the container or image and checks compliance with security policies similarly to the oscap command. The tool uses offline scanning to perform all assessments and checks by performing a temporary read-only mount of the container or image file system. No changes are made to the container or image and no other tools are required within the container or image.

1. Obtain the ID of the container or image.

   To retrieve the ID of the container or image. Run one of the following commands:

   podman ps -a

   podman images

2. Scan the image using an OVAL file.

   To scan an image for vulnerabilities using the appropriate CVE stream for the image variant and to output this information in HTML format, run the following command:

   sudo oscap-podman id oval eval --report reports.html oval-file

3. Scan the image using an XCCDF checklist.

   To scan an image for compliance with a security policy specified in an XCCDF checklist and to output the result in HTML format, run:

   sudo oscap-podman id xccdf eval \
     --fetch-remote-resources \
     --profile profile-id \
     --results results.xml \
     --report report.html \
     /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml

See the oscap-podman(8) manual page for more information.