Over the last few years, containers have become popular for software distribution and deployment, representing the innovation that software deployment desperately needed in a space where runtime environments are so fragmented. However, like any other disruption, this comes with its own challenges regarding software provenance – who added what to a container at what stage. If you are distributing or deploying a container, it’s critical to understand the complete composition, ensure you are compliant with component licensing, and you are on top of the inherent vulnerabilities that come with it.

What are containers?

Before we go deep into why container scanning is important, let’s set a clear definition on what containers are. A container is a bundle of software files that constitute your application binaries, dependencies and system libraries. The portable nature of containers helps with the abstraction of the environment where they are running. This is one of the most important reasons containers are so popular and successful.

Why container scanning?

A container can be  comprised of multiple components organized by layers. You start from a base image, such as Dockerhub pulling from the vendor. Through your application lifecycle, you end up creating several layers and adding several software components. It would have been very trivial if we had an SBOM from Docker itself when you pulled the image. But that’s only just scratching the surface, or in this case a single layer. A scanning solution is needed to build a comprehensive SBOM that doesn’t just list the components from the base image, but also gives you insights into what your team has added.

How Code Insight can help?

Code Insight’s Docker plugin is now completely revamped to give you a comprehensive SBOM for Docker containers with not just file-based evidence and components, but with the ability to report packages that are installed in the container. Code Insight is now bundled with an open-source utility called Syft which, when combined with Code Insight’s detection techniques, makes a powerful container scanning solution for all your supply chain security needs.