Alauda Container Security

Image Scanning Using the roxctl CLI

You can scan images stored in image registries, including cluster local registries such as the Alauda Container Platform integrated image registry, by using the roxctl CLI.

INFO

Image scanning requires appropriate permissions and network access to the registry and Central.

TOC

Scanning an Image in a Remote Cluster

Run the following command to scan the specified image

roxctl image scan \
  --image=<image_registry>/<image_name>
  • For <image_registry>, specify the registry where the image is located, e.g., image-registry.alauda-image-registry.svc:5000/.

Example Output

{
  "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9",
  "name": {
    "registry": "image-registry.alauda-image-registry.svc:5000",
    "remote": "default/image-stream",
    "tag": "latest",
    "fullName": "image-registry.alauda-image-registry.svc:5000/default/image-stream:latest"
  }
  // ...
}
  • Id: A unique identifier for the image, serving as a fingerprint for integrity and authenticity.
  • name.registry: The image registry location.
  • name.remote: The remote path to the image.
  • name.tag: The version or tag of the image.
  • name.fullName: The complete name of the image (registry, path, tag).

roxctl image scan Command Options

Option Descriptions

OptionDescription
--cluster stringDelegate image scanning to a specific cluster.
--compact-outputPrint the JSON output in a compact format. Default: false.
-f, --forceIgnore Central's cache for the scan and force a fresh re-pull from Scanner. Default: false.
--headers stringsPrint the headers in a tabular format. Default: COMPONENT, VERSION, CVE, SEVERITY, LINK.
--headers-as-commentsPrint the headers as comments in a CSV tabular output. Default: false.
-h, --helpView the help text for the roxctl image scan command.
-i, --image stringSpecify the image name and reference you want to scan.
-a, --include-snoozedReturn both snoozed and unsnoozed CVEs. Default: false.
--merge-outputMerge duplicate cells in a tabular output. Default: true.
--no-headerDo not print headers for tabular format. Default: false.
-o, --output stringSpecify the output format: table, CSV, JSON, or SARIF.
-r, --retries intSet the number of retries before aborting with an error. Default: 3.
-d, --retry-delay intSet the time in seconds to wait between retries. Default: 3.
--row-jsonpath-expressions stringUse JSON path expressions to create rows from the JSON object. See roxctl image scan --help for details.