Scanning Container Images and Containers

6 Scanning Container Images and Containers

Use oscap-podman to scan containers or container images.

oscap-podman assesses vulnerabilities in the container or image and checks compliance with security policies similarly to the oscap command. The tool uses offline scanning to perform all assessments and checks by performing a temporary read-only mount of the container or image file system. No changes are made to the container or image and no additional tools are required within the container or image.

Obtain the ID of your container or image. Run either:
```
podman ps -a
```
```
podman images
```
To scan an image for vulnerabilities using the appropriate CVE stream for the image variant and to output this information in HTML format, run:
```
sudo oscap-podman <id> oval eval --report reports.html <oval-file>
```

To scan an image for compliance with a security policy specified in an XCCDF checklist and to output the result in HTML format, run:

sudo oscap-podman <id> xccdf eval \
  --fetch-remote-resources \
  --profile <profile-id> \
  --results results.xml \
  --report report.html \
  /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

See the oscap-podman(8) manual page for more information.