Container Scanning

Container scans inspect every layer of a Docker image and report CVEs in OS packages (apt, apk, yum) and application dependencies (pip, npm, gem, go modules). Scan a local image with the CLI, or connect a registry for automatic scanning on every push.

What’s scanned

Type	Examples
OS packages	apt (Debian/Ubuntu), apk (Alpine), yum/dnf (RHEL/CentOS), pacman, zypper
Application dependencies	npm node_modules, Python site-packages, Go binaries, Ruby gems, Maven JARs, Composer packages

The engine walks the image layer by layer, enumerates every package present at runtime, and matches each one against the OSV vulnerability database. Findings are tagged with the layer that introduced the package, so you can pinpoint whether an issue comes from your base image or your build.

Scanning a local image

Use the CLI’s --scan-types container mode against an image reference you can pull locally:

docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e VYGL_API_KEY=vgl_your_key \
  vygl/vygl-cli scan --scan-types container --image myorg/myapp:1.2.3

Mounting the Docker socket lets the CLI pull and inspect the image. For local-only runs, add --no-upload.

Scanning from a registry

Connecting a registry is the recommended approach for production workloads. See Connecting Registries for the four supported registries (Docker Hub, AWS ECR, Google GCR, Harbor).

What you’ll see

For each image, Vygl produces:

• Severity counts — critical / high / medium / low across OS and app packages.
• Layer attribution — which layer introduced each vulnerable package.
• Base-image detection — heuristic match against known base images (success rate ~70–80%).
• AI risk summary — prioritized remediation written by Claude. See Container AI Analysis.
• Source correlation — links to source-code dependencies that match container CVEs. See Source ↔ Container Correlation.

Finding metadata

Every container finding carries:

• scan_type=CONTAINER
• package_name, package_version, fixed_versions
• metadata.layer — layer digest where the package lives
• metadata.os — detected base OS (e.g. debian:12, alpine:3.19)
• metadata.package_type — os or app

These appear in the finding detail view and in API responses (GET /findings/{id}).

Private images need credentials

Vygl can only scan images it can pull. Private images require a connected registry with valid credentials. See Connecting Registries.

Dockerfile vs runtime image

Container scans inspect the runtime image — not the Dockerfile. Static Dockerfile scanning is part of IaC scanning (powered by Checkov), and runs against your source repo.