Container Scanning - ZeroPath Documentation

How It Works

ZeroPath Container Scanning analyzes the container images you actually ship. Instead of inspecting only the source a repository builds from, it examines a built image — pulled by its registry reference or uploaded as a local archive — looking at the operating system and everything bundled on top of it for known vulnerabilities. Public images, private registries (with credentials), and air-gapped images shared as a docker save archive are all supported. Findings are surfaced under the existing Supply Chain section, alongside dependency analysis, so image-level and source-level risk live in one place.

Image-Level Scanning

Scans a built image — pulled by registry reference, including private registries with credentials, or uploaded as a local archive — and analyzes OS packages and bundled dependencies baked into it, not just the source it was built from.

Per-Layer Attribution

Ties every vulnerability to the image layer that introduced it, so you can tell inherited base-image issues from ones your build added.

Continuous Monitoring

Re-scans monitored images on a schedule so newly disclosed CVEs surface without a manual re-run.

End-to-end Flow

Image Submitted

You point ZeroPath at a built image. ZeroPath either resolves a registry reference and pulls the image — authenticating with the registry credentials you provide for private registries — or reads a local image archive you upload for air-gapped images that cannot be pulled.

Layer Extraction

The image is unpacked layer by layer. ZeroPath records which layer contributes each file so findings can later be attributed to the layer that introduced them.

Package Inventory

ZeroPath inventories the operating-system packages and the application dependencies bundled into the image, building a complete picture of everything that ships inside it — including packages that never appear in your source manifests.

Vulnerability Matching

Inventoried packages are matched against vulnerability intelligence to identify known issues in OS packages and bundled dependencies.

Per-Layer Findings & Severity

Each finding is attributed to the layer that introduced it and is severity-rated (Critical / High / Medium / Low), so you can immediately see whether an issue came from your base image or your own build steps.

Base-Image Upgrade Guidance

ZeroPath detects the image’s base and, when a newer stable base of the same distribution exists, scans that candidate and recommends it — reporting how many of the current findings the upgrade would remove, so you can fix the most vulnerabilities with the fewest changes.

Results Delivered

Findings are surfaced under the Supply Chain section in your dashboard, API, and integrations. Monitored images are re-evaluated on their schedule as new vulnerabilities are disclosed.

Running Scans

One-Shot Scan
Private Registry
Local Archive (Air-Gapped)
Monitored Scan

Run a single scan of a built image to get an immediate snapshot of its vulnerabilities. This is the right choice for ad-hoc checks, CI/CD gates on a freshly built image, or evaluating an image before you promote it.

zeropath container test <image>

The scan pulls the referenced image, inventories its OS packages and bundled dependencies, and returns per-layer findings with base-image upgrade guidance.

To scan an image hosted in a private registry, pass registry credentials and ZeroPath authenticates when pulling the image. Credentials are transmitted over TLS and stored encrypted.

zeropath container test <image> \
  --registry-username <username> \
  --registry-token <token>

Use a registry access token or robot/service-account token rather than a personal password where your registry supports it.

For images that cannot be pulled — air-gapped environments, or images that never leave a build host — export the image to a tarball with docker save and upload that archive directly. No registry access is required.

# Export the built image to a tarball
docker save -o image.tar <image>

# Scan the uploaded archive, giving it a label to identify it in results
zeropath container test --file image.tar --name <label>

ZeroPath reads the uploaded archive, inventories its OS packages and bundled dependencies, and returns the same per-layer findings and base-image upgrade guidance as a pulled image.

Uploaded archives are scanned once and cannot be monitored on a schedule — there is no registry reference to re-pull. Use a registry image (zeropath container monitor <image>) for recurring re-scans.

Register an image for recurring re-scans so it is continuously checked against the latest vulnerability intelligence. An image that is clean today can become vulnerable the moment a new CVE is disclosed — monitoring surfaces those issues without a manual re-run.

# Monitor an image on the default schedule
zeropath container monitor <image>

# Monitor an image on a custom schedule (crontab expression)
zeropath container monitor <image> --schedule "0 6 * * *"

Monitored images keep their base-image upgrade guidance current, so you always know the single change that resolves the most findings in your running images.

Key Capabilities

OS Package Coverage

Detects known vulnerabilities in the system packages installed in your base image and build steps.

Bundled Dependency Detection

Finds vulnerable application dependencies copied or installed into the image during the build — including packages that never appear in your source manifests.

Per-Layer Attribution

Every vulnerability is tied to the layer that introduced it, distinguishing inherited base-image issues from ones your build added.

Base-Image Upgrade Recommendations

Detects the image’s base and, when a newer stable base of the same distribution exists, scans that candidate and reports how many findings the upgrade would remove — so a single change can clear many issues at once.

Private Registry Support

Scans images in private registries using the registry credentials you provide. Credentials are sent over TLS and stored encrypted.

Local Archive Upload

Scans air-gapped images that cannot be pulled by uploading a docker save archive directly, with no registry access required.

Scheduled Monitoring

Re-scans monitored images on a recurring schedule so newly disclosed CVEs surface automatically.

Unified Supply Chain View

Image-level findings appear under the same Supply Chain section as dependency analysis, giving you the complete picture of what ships in production.

Adoption Checklist

Identify the Images You Ship

List the built images that run in production — these are the artifacts Container Scanning analyzes by registry reference.

Run a One-Shot Scan

Use zeropath container test <image> to get an immediate snapshot of an image’s vulnerabilities.

Review Per-Layer Findings

Inspect findings under the Supply Chain section, using layer attribution to separate inherited base-image issues from ones your build introduced.

Apply Base-Image Upgrade Recommendations

When ZeroPath recommends a newer base, review how many findings the upgrade would remove and adopt it to clear the largest share of findings with a single change.

Enable Monitoring

Register production images with zeropath container monitor <image> so newly disclosed CVEs surface automatically on a schedule.

​How It Works

Image-Level Scanning

Per-Layer Attribution

Continuous Monitoring

​End-to-end Flow

​Running Scans

​Key Capabilities

OS Package Coverage

Bundled Dependency Detection

Per-Layer Attribution

Base-Image Upgrade Recommendations

Private Registry Support

Local Archive Upload

Scheduled Monitoring

Unified Supply Chain View

​Adoption Checklist

How It Works

End-to-end Flow

Running Scans

Key Capabilities

Adoption Checklist