HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan docker-image

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan docker-image command is used for scanning a Docker image.

Docker version

This command only works with Docker Engine version 24.

Usage

Usage: vault-radar scan docker-image [options]

Scanning a docker image

Scan a public docker image (or a private image that is already pulled/dowloaded locally) and write the results to a file in CSV format, this is the default format for output.

Image reference may optionally include a tag. We will scan the latest tag if no tag is specified.

Docker engine is a pre-requisite for scanning docker images using vault-radar. Docker version 24.x is required.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> -o <PATH TO OUTPUT>.csv

Scanning a private docker image

To scan a private docker image, specify the following environment variables to authenticate against the registry:

  1. DOCKER_REGISTRY_USERNAME
  2. DOCKER_REGISTRY_PASSWORD
$ vault-radar scan docker-image -i <IMAGE REFERENCE> -o <PATH TO OUTPUT>.csv

Example:

First, set the username and password as an environment variable.

$ export DOCKER_REGISTRY_USERNAME=<ARTIFICATORY_USERNAME>
$ export DOCKER_REGISTRY_PASSWORD=<ARTIFACTORY_TOKEN>

Scan XXX.artifactory.XXX/YYY-image image.

$ vault-radar scan docker-image -i XXX.artifactory.XXX/YYY-image \
    -o results-docker-image.csv

Scanning a docker image and output in JSON

Scan a docker image and write the results to a file in JSON Lines format. 

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

HCP connection scanning behavior

The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

To allow for scanning to continue working without the need for HCP cloud connection you can use the new --offline flag as such.

$ vault-radar scan docker-image --offline -o <PATH TO OUTPUT>.csv

Scanning using a Vault index file

Perform a scan using a generated Vault index and write the results to an output file. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of secrets found

Scan a docker image and write the results to an output file and stop scanning when the defined number of secrets are found.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>