How to & Troubleshooting - Container Vulnerability
How to get the list of packages and libraries found in an image?
You can use the Lacework Inline Scanner to generate the list of packages and libraries detected inside a container image.
The scan command will generate a JSON file with packages and libraries described in this format:
OS Packages:
{"name":"libnettle8","version":"3.7.3-1","version_format":"dpkg","os":"debian","os_version":"11","namespace":"debian:11","type":"binary"}
This identifies the Debian package (dpkg) libnettle8-3.7.3-1
from Debian 11.
Language Libraries:
{"name":"com.propensive:magnolia_2.12","version":"0.17.0","version_format":"maven","os":"java","os_version":"","namespace":"java","type":"binary"}
This identifies the Java Maven library com.propensive:magnolia_2.12-0.17.0
.
I’ve integrated an ECR/GCR/GAR/... registry. Why don’t I see any new images?
When a new registry is integrated, and if it supports auto-polling, we will discover up to 200 images in the new registry. It may take 15 to 30 minutes for the assessment to show up in the Container Vulnerability dashboard.
A common issue with AWS and GCP registry set up is to create an integration for the wrong region. This registry is actually empty. You can check the registry settings under Settings > Integrations > Container Registries to make sure you added the correct registry.