Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Xygeni docker image scan
  • Docker image
  • Docker image Sources
  • Docker image Layers
  • Container Registry configuration
Export as PDF
  1. Xygeni Scanner CLI
  2. Xygeni CLI Overview
  3. Xygeni CLI Operation Modes
  4. Single scan

Scanning a docker image

PreviousSingle scanNextMulti Scan

Last updated 28 days ago

Xygeni docker image scan

Xygeni is capable of identifying vulnerabilities in Docker images.

Please note that not all scan commands are available for image scanning. Visit to see which scan commands are available for image scanning.

For running a scan over a container image:

xygeni [command] --image my_image:latest

Docker image

Use --image to pass the image name, including the registry host, the namespace and the repository, plus tag or the image SHA digest.

Container image options:
      --image=<image>        The container image, in registry/repository/image:tag format.
                             Examples: debian, alpine:latest, cgr.dev/chainguard/go,
                             gcr.io/google-containers/python@sha256:fe...4b
      --image-platform=<platform>
                             The image platform in the form os/arch, if image is multi-platform.
      --image-sources=sources
                             The image source(s) to use, comma-separated in order.
                             Defaults to docker, containerd, podman, remote.
      --image-scope=<scope>  How layers are analyzed. One of merged, mergedExceptBase, byLayer,
                             byLayerExceptBase. Default: merged.

For multi-platform images, the --image-platform OS/ARCH could be provided. When not given, the platform where the scanner runs will be used.

Docker image Sources

Specify in --image-sources the comma-separated list of sources where the image could be pulled.

The following are the supported sources:

  • tarball:<path>: when the image contents are available locally, the path should point to the directory or tar file with the image contents. The image ("tarball") is expected to be in the OCI format.

The default is first try with docker, then with containerd, then via podman and then remote as last option.

If the image was already pulled locally, scan times may improve. It could be convenient to use a local runtime if the image to analyze has already been pulled.

Docker image Layers

As container images are made of layers, for some scans like secrets it is convenient to scan the contents of each layer separately.

The --image-scope controls which layers to consider and how the scan proceeds, either layer-by-layer or on the merged filesystem combining all layers.

--image-scope value
Mode of operation
Layers to process

merged

combined filesystem

all

mergedExceptBase

combined filesystem

all except base image

byLayer

layer by layer

all

byLayerExceptBase

layer by layer

all except base image

Container Registry configuration

The configuration file xygeni.yml contains sections where each external system is configured.

As the scanner often runs without user interaction, for example in a CI/CD pipeline, authentication is often done via access tokens that are ephemeral and generated following an authentication workflow (SAML, OIDC and JSON web tokens are often used in CI/CD systems).

Once a valid access token is available, it is often stored in a configuration file, environment variable, or in a secret vault managed by the CI/CD system. Configuration for an external system uses a token source that fetches the token from a list of environment variables or files.

For pulling images from container registries, or storing attestations in OCI registries, the containerRegistry section configures the location and sources of access tokens for each registry. For example, for Docker Hub:

# Container (OCI) Registries
containerRegistry:
  -
    # Docker Hub
    # The hostname to match in the image name. This is the default when no hostname provided.
    hostname: docker.io
    # Docker registry official URL
    url: 'https://registry-1.docker.io'
    # Which projects use this registry? A hostname is often given in the image name.
    # Use a regex pattern, like 'project1|project2|project3' or 'prefix_.*'
    # Leave empty for matching by hostname.
    usedBy: ''
    # The username to connect to the registry api.
    user: null
    # How the access token should be fetched:
    # From environment/system property (env:),
    # From file (use ${scanned.dir} for scanned directory, ${XYGENI_DIR} for scanner directory, ${user.home} for $HOME),
    # or encode directly (use encryption to protect the token against casual readers)
    tokenSources:
      - env:DOCKER_TOKEN
      - file:${user.home}/.docker.token
  -
    # The hostname to match in the image name. This is the default when no hostname provided.
    # For private registry, copy this using <aws_account>.dk.ecr.<region>.amazonaws.com as hostname,
    # or use wildcards like *.dk.ecr.*.amazonaws.com
    hostname: public.ecr.aws
    # Docker registry official
    url: 'https://public.ecr.aws'
    # Which projects use this registry? A hostname is often given in the image name.
    # Use a regex pattern, like 'project1|project2|project3' or 'prefix_.*'
    # Leave empty for matching by hostname.
    usedBy: ''
    # The username to connect to the registry api. ECR uses a fixed name.
    user: null
    # How the access token should be fetched:
    # From environment/system property (env:),
    # From file (use ${scanned.dir} for scanned directory, ${XYGENI_DIR} for scanner directory, ${user.home} for $HOME),
    # or encode directly (use encryption to protect the token against casual readers)
    tokenSources:
      - env:AWS_ECR_TOKEN
      - file:${user.home}/.aws_ecr.token
  -
    # Azure CR
    # The hostname for public Microsoft Container Registry.
    # For Azure CR, replace with <org-registry>.azurecr.io with your own, or use wildcard *.azurecr.io
    hostname: mcr.microsoft.com
    # public CR. Leave blank to reuse private hostname
    url: 'https://mcr.microsoft.com'
    # Which projects use this registry? A hostname is often given in the image name.
    # Use a regex pattern, like 'project1|project2|project3' or 'prefix_.*'
    # Leave empty for matching by hostname.
    usedBy: ''
    # The username to connect to the registry api.
    user: null
    # How the access token should be fetched:
    # From environment/system property (env:),
    # From file (use ${scanned.dir} for scanned directory, ${XYGENI_DIR} for scanner directory, ${user.home} for $HOME),
    # or encode directly (use encryption to protect the token against casual readers)
    tokenSources:
      - env:AZURE_CR_TOKEN
      - file:${user.home}/.azure_cr.token
  -
    # Google CR
    # Transitioning to pkg.dev. You may need to change for the hostname of your private repository
    # google-containers and distroless are popular public repositories
    hostname: gcr.io
    url: 'https://gcr.io'
    usedBy: ''
    user: null
    tokenSources:
      - env:GCR_TOKEN
      - file:${user.home}/.gcr.token
  -
    # GitHub CR
    # ghcr.io is the hostname for GitHub container registry
    hostname: ghcr.io
    url: 'https://ghcr.io'
    usedBy: ''
    user: null
    tokenSources:
      - env:GITHUB_TOKEN
      - env:GITHUB_PAT
      - file:${user.home}/.github.token
  -
    # GitLab CR
    # registry.gitlab.com is the hostname for GitLab CR
    hostname: registry.gitlab.com
    url: ''
    usedBy: ''
    user: null
    tokenSources:
      # Perhaps a restricted token with read_registry permissions could be used here
      - env:GITLAB_TOKEN
      - env:GITLAB_PAT
      - file:${user.home}/.gitlab.token
  -
    # JFrog Artifactory. You may similarly configure Sonatype Nexus, etc.
    # The hostname for registries for on-cloud Artifactory, to match your own
    # You may write your own if needed, like docker.artifactory.your_domain, etc.
    hostname: '*.jfrog.io'
    url: ''
    usedBy: ''
    user: null
    tokenSources:
      # Perhaps a restricted token with read_registry permissions could be used here
      - env:JFROG_TOKEN
      - file:${user.home}/.jfrog.token

The image name follows the [HOST[:PORT_NUMBER]/][NAMESPACE/]REPOSITORY[:TAG|@DIGEST]convention, see for more details.

docker: the local will be used when available.

containerd: the containerd daemon, via , will be used when available.

podman: the cli will be used when available.

remote: pull image directly from a remote OCI registry, using the .

The remote source needs credentials for remote registries. See for details. For other image sources, an authenticated session in the underlying runtime is required. For example, via docker login for docker engine, nerdctl login for containerd, or podman login for podman.

docker convention
docker engine
nerdctl
podman
OCI distribution api
container registry configuration
this