I am currently searching for a decent image/container/registry scanner. I
would like to be able to check images for CVE, at the moment I am using rhel/CentOS/ubuntu/debian based images.
I tried on CentOS7:
– openscap (oscap-docker): needs atomic for installation, allows scanning of rhel based images only;
– atomic: allows scanning of rhel based images only;
– clair: usable in theory for rhel/CentOS/ubuntu/debian images but in practice I encountered problems with analyze-local-images and hyperclair
“cli” tools and API does not allow automatization;
– banyan collector/dockscan/drydock: seem to be stale or not enough mature to be considered;
– nessus: seems to be an overkill for my usecase.
I am now looking into:
– aqua (commercial);
– twistlock (commercial);
– blackduck docker scanner (commercial).
Can you share info about what you are using to scan docker images? Any proposals for my usecase?