Skip to main content

How It Works

ZeroPath Container Scanning analyzes the container images you actually ship. Instead of inspecting only the source a repository builds from, it examines a built image — pulled by its registry reference or uploaded as a local archive — looking at the operating system and everything bundled on top of it for known vulnerabilities. Public images, private registries (with credentials), and air-gapped images shared as a docker save archive are all supported. Findings are surfaced under the existing Supply Chain section, alongside dependency analysis, so image-level and source-level risk live in one place.

Image-Level Scanning

Scans a built image — pulled by registry reference, including private registries with credentials, or uploaded as a local archive — and analyzes OS packages and bundled dependencies baked into it, not just the source it was built from.

Per-Layer Attribution

Ties every vulnerability to the image layer that introduced it, so you can tell inherited base-image issues from ones your build added.

Continuous Monitoring

Re-scans monitored images on a schedule so newly disclosed CVEs surface without a manual re-run.

End-to-end Flow

1

Image Submitted

You point ZeroPath at a built image. ZeroPath either resolves a registry reference and pulls the image — authenticating with the registry credentials you provide for private registries — or reads a local image archive you upload for air-gapped images that cannot be pulled.
2

Layer Extraction

The image is unpacked layer by layer. ZeroPath records which layer contributes each file so findings can later be attributed to the layer that introduced them.
3

Package Inventory

ZeroPath inventories the operating-system packages and the application dependencies bundled into the image, building a complete picture of everything that ships inside it — including packages that never appear in your source manifests.
4

Vulnerability Matching

Inventoried packages are matched against vulnerability intelligence to identify known issues in OS packages and bundled dependencies.
5

Per-Layer Findings & Severity

Each finding is attributed to the layer that introduced it and is severity-rated (Critical / High / Medium / Low), so you can immediately see whether an issue came from your base image or your own build steps.
6

Base-Image Upgrade Guidance

ZeroPath detects the image’s base and, when a newer stable base of the same distribution exists, scans that candidate and recommends it — reporting how many of the current findings the upgrade would remove, so you can fix the most vulnerabilities with the fewest changes.
7

Results Delivered

Findings are surfaced under the Supply Chain section in your dashboard, API, and integrations. Container scan findings also appear in the main Issues list alongside SAST and SCA results, giving you a unified view of all security findings across your organization. Monitored images are re-evaluated on their schedule as new vulnerabilities are disclosed.

Container Images Dashboard

The Containers section is organized into two pages: a Dashboard overview and an Images list.

Dashboard

The Dashboard provides an at-a-glance overview of all tracked container images across your organization, including:
  • Image counts — total tracked images, how many are monitored on a schedule, how many are currently scanning, and how many have a failed latest scan.
  • Findings by severity — a breakdown of total findings across every image’s latest scan, bucketed by Critical, High, Medium, Low, and Informational.
  • Base-image upgrade opportunities — images where a newer base of the same distribution would remove findings, ranked by the number of findings the upgrade resolves.
  • Most-vulnerable images — a ranked list of the images with the highest finding counts.

Images List

The Images page lists all tracked container images with search, filtering, and pagination. Images are grouped by repository so you can see at a glance which images belong to which project; standalone images (not linked to a repository) collect under their own group. You can submit new images for scanning directly from this page using the Scan image button, which opens a dialog with two modes:
  • Registry image — enter an image reference (e.g. ghcr.io/acme/api:1.4), optionally provide private registry credentials, and optionally set a monitoring schedule (cron expression, UTC).
  • Upload archive — upload a docker save tarball (.tar) for images that cannot be pulled from a registry. A progress bar tracks the upload.
In both modes you can optionally attach the image to one of your repositories. On success, the dialog navigates to the new image’s detail page.

Image Detail

Clicking an image opens a detail page with three tabs:
  • Overview — severity histogram (Critical / High / Medium / Low), fixable and resolved counts, base-image upgrade recommendation (when available), image metadata (digest, size, build date, findings count, detected base image), and a layer breakdown showing which layers are base-image layers and which are application layers.
  • Vulnerabilities — a searchable, filterable list of every CVE found in the image’s latest scan. You can search by CVE ID or package name, and filter by severity (Critical, High), fixable status, or open status. Clicking a CVE opens the full issue detail with the same triage workflow used across the rest of ZeroPath (status changes, patching, Jira export, etc.). Deep links to individual findings are shareable via the URL.
  • Settings — configure a monitoring schedule (cron expression, UTC) for registry images, and link or relink the image to a repository in your organization.
From the detail page you can also:
  • Re-scan now — pull and re-scan a registry image immediately. (Uploaded archives cannot be re-scanned because the original tarball is not retained.)
  • Delete — permanently remove the tracked image and all of its scan history.
When a scan fails, a failure banner is displayed with guidance to retry. When an image is queued but not yet scanned, the page shows a placeholder until results are available.

Managing Container Images

From the dashboard or the API, you can:
  • List images with search and cursor-based pagination, optionally filtered by repository.
  • View image details including the latest scan summary, queue status, and monitoring schedule.
  • Enable monitoring with a cron schedule so the image is re-scanned on a recurring basis.
  • Disable monitoring to return to scan-on-submit only.
  • Link to a repository to reassign an image from one repository to another (both must be in your organization and accessible to you).
  • Delete an image to stop tracking it entirely and remove all of its scan history.

Running Scans

Run a single scan of a built image to get an immediate snapshot of its vulnerabilities. This is the right choice for ad-hoc checks, CI/CD gates on a freshly built image, or evaluating an image before you promote it.
The scan pulls the referenced image, inventories its OS packages and bundled dependencies, and returns per-layer findings with base-image upgrade guidance.

Key Capabilities

OS Package Coverage

Detects known vulnerabilities in the system packages installed in your base image and build steps.

Bundled Dependency Detection

Finds vulnerable application dependencies copied or installed into the image during the build — including packages that never appear in your source manifests.

Per-Layer Attribution

Every vulnerability is tied to the layer that introduced it, distinguishing inherited base-image issues from ones your build added.

Base-Image Upgrade Recommendations

Detects the image’s base and, when a newer stable base of the same distribution exists, scans that candidate and reports how many findings the upgrade would remove — so a single change can clear many issues at once.

Private Registry Support

Scans images in private registries using the registry credentials you provide. Credentials are sent over TLS and stored encrypted.

Local Archive Upload

Scans air-gapped images that cannot be pulled by uploading a docker save archive directly, with no registry access required.

Scheduled Monitoring

Re-scans monitored images on a recurring schedule so newly disclosed CVEs surface automatically.

Unified Supply Chain View

Image-level findings appear under the same Supply Chain section as dependency analysis, giving you the complete picture of what ships in production.

Archive Upload via API

Upload a container image tarball through the API in chunks for air-gapped environments where registry access is not available. The chunked upload flow handles large archives reliably.

Adoption Checklist

1

Identify the Images You Ship

List the built images that run in production — these are the artifacts Container Scanning analyzes by registry reference.
2

Run a One-Shot Scan

Use zeropath container test <image> to get an immediate snapshot of an image’s vulnerabilities.
3

Review Per-Layer Findings

Inspect findings under the Supply Chain section, using layer attribution to separate inherited base-image issues from ones your build introduced.
4

Apply Base-Image Upgrade Recommendations

When ZeroPath recommends a newer base, review how many findings the upgrade would remove and adopt it to clear the largest share of findings with a single change.
5

Enable Monitoring

Register production images with zeropath container monitor <image> so newly disclosed CVEs surface automatically on a schedule.