> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Container Scanning

> Scan built container images for OS-package and bundled-dependency vulnerabilities, with per-layer findings and base-image upgrade guidance.

## How It Works

ZeroPath Container Scanning analyzes the container images you actually ship. Instead of inspecting only
the source a repository builds from, it examines a built image — pulled by its registry reference or
uploaded as a local archive — looking at the operating system and everything bundled on top of it for
known vulnerabilities. Public images, private registries (with credentials), and air-gapped images
shared as a `docker save` archive are all supported. Findings are surfaced under the existing
**Supply Chain** section, alongside dependency analysis, so image-level and source-level risk live in
one place.

<Columns cols={3}>
  <Card title="Image-Level Scanning" icon="box">
    Scans a built image — pulled by registry reference, including private registries with credentials,
    or uploaded as a local archive — and analyzes OS packages and bundled dependencies baked into it,
    not just the source it was built from.
  </Card>

  <Card title="Per-Layer Attribution" icon="layer-group">
    Ties every vulnerability to the image layer that introduced it, so you can tell inherited base-image
    issues from ones your build added.
  </Card>

  <Card title="Continuous Monitoring" icon="rotate">
    Re-scans monitored images on a schedule so newly disclosed CVEs surface without a manual re-run.
  </Card>
</Columns>

## End-to-end Flow

<Steps>
  <Step title="Image Submitted">
    You point ZeroPath at a built image. ZeroPath either resolves a registry reference and pulls the
    image — authenticating with the registry credentials you provide for private registries — or reads
    a local image archive you upload for air-gapped images that cannot be pulled.
  </Step>

  <Step title="Layer Extraction">
    The image is unpacked layer by layer. ZeroPath records which layer contributes each file so findings
    can later be attributed to the layer that introduced them.
  </Step>

  <Step title="Package Inventory">
    ZeroPath inventories the operating-system packages and the application dependencies bundled into the
    image, building a complete picture of everything that ships inside it — including packages that never
    appear in your source manifests.
  </Step>

  <Step title="Vulnerability Matching">
    Inventoried packages are matched against vulnerability intelligence to identify known issues in OS
    packages and bundled dependencies.
  </Step>

  <Step title="Per-Layer Findings & Severity">
    Each finding is attributed to the layer that introduced it and is severity-rated (Critical / High /
    Medium / Low), so you can immediately see whether an issue came from your base image or your own
    build steps.
  </Step>

  <Step title="Base-Image Upgrade Guidance">
    ZeroPath detects the image's base and, when a newer stable base of the same distribution exists,
    scans that candidate and recommends it — reporting how many of the current findings the upgrade
    would remove, so you can fix the most vulnerabilities with the fewest changes.
  </Step>

  <Step title="Results Delivered">
    Findings are surfaced under the Supply Chain section in your dashboard, API, and integrations.
    Monitored images are re-evaluated on their schedule as new vulnerabilities are disclosed.
  </Step>
</Steps>

## Running Scans

<Tabs>
  <Tab title="One-Shot Scan">
    Run a single scan of a built image to get an immediate snapshot of its vulnerabilities. This is the
    right choice for ad-hoc checks, CI/CD gates on a freshly built image, or evaluating an image before
    you promote it.

    ```bash theme={null}
    zeropath container test <image>
    ```

    The scan pulls the referenced image, inventories its OS packages and bundled dependencies, and
    returns per-layer findings with base-image upgrade guidance.
  </Tab>

  <Tab title="Private Registry">
    To scan an image hosted in a private registry, pass registry credentials and ZeroPath authenticates
    when pulling the image. Credentials are transmitted over TLS and stored encrypted.

    ```bash theme={null}
    zeropath container test <image> \
      --registry-username <username> \
      --registry-token <token>
    ```

    Use a registry access token or robot/service-account token rather than a personal password where
    your registry supports it.
  </Tab>

  <Tab title="Local Archive (Air-Gapped)">
    For images that cannot be pulled — air-gapped environments, or images that never leave a build host —
    export the image to a tarball with `docker save` and upload that archive directly. No registry access
    is required.

    ```bash theme={null}
    # Export the built image to a tarball
    docker save -o image.tar <image>

    # Scan the uploaded archive, giving it a label to identify it in results
    zeropath container test --file image.tar --name <label>
    ```

    ZeroPath reads the uploaded archive, inventories its OS packages and bundled dependencies, and
    returns the same per-layer findings and base-image upgrade guidance as a pulled image.

    <Note>
      Uploaded archives are scanned once and cannot be monitored on a schedule — there is no registry
      reference to re-pull. Use a registry image (`zeropath container monitor <image>`) for recurring
      re-scans.
    </Note>
  </Tab>

  <Tab title="Monitored Scan">
    Register an image for recurring re-scans so it is continuously checked against the latest
    vulnerability intelligence. An image that is clean today can become vulnerable the moment a new CVE is
    disclosed — monitoring surfaces those issues without a manual re-run.

    ```bash theme={null}
    # Monitor an image on the default schedule
    zeropath container monitor <image>

    # Monitor an image on a custom schedule (crontab expression)
    zeropath container monitor <image> --schedule "0 6 * * *"
    ```

    Monitored images keep their base-image upgrade guidance current, so you always know the single change
    that resolves the most findings in your running images.
  </Tab>
</Tabs>

## Key Capabilities

<Columns cols={2}>
  <Card title="OS Package Coverage" icon="box">
    Detects known vulnerabilities in the system packages installed in your base image and build steps.
  </Card>

  <Card title="Bundled Dependency Detection" icon="cubes">
    Finds vulnerable application dependencies copied or installed into the image during the build —
    including packages that never appear in your source manifests.
  </Card>

  <Card title="Per-Layer Attribution" icon="layer-group">
    Every vulnerability is tied to the layer that introduced it, distinguishing inherited base-image
    issues from ones your build added.
  </Card>

  <Card title="Base-Image Upgrade Recommendations" icon="arrow-up-right-dots">
    Detects the image's base and, when a newer stable base of the same distribution exists, scans that
    candidate and reports how many findings the upgrade would remove — so a single change can clear many
    issues at once.
  </Card>

  <Card title="Private Registry Support" icon="lock">
    Scans images in private registries using the registry credentials you provide. Credentials are sent
    over TLS and stored encrypted.
  </Card>

  <Card title="Local Archive Upload" icon="file-zipper">
    Scans air-gapped images that cannot be pulled by uploading a `docker save` archive directly, with no
    registry access required.
  </Card>

  <Card title="Scheduled Monitoring" icon="rotate">
    Re-scans monitored images on a recurring schedule so newly disclosed CVEs surface automatically.
  </Card>

  <Card title="Unified Supply Chain View" icon="sitemap">
    Image-level findings appear under the same Supply Chain section as dependency analysis, giving you the
    complete picture of what ships in production.
  </Card>
</Columns>

## Adoption Checklist

<Steps>
  <Step title="Identify the Images You Ship">
    List the built images that run in production — these are the artifacts Container Scanning analyzes by
    registry reference.
  </Step>

  <Step title="Run a One-Shot Scan">
    Use `zeropath container test <image>` to get an immediate snapshot of an image's vulnerabilities.
  </Step>

  <Step title="Review Per-Layer Findings">
    Inspect findings under the Supply Chain section, using layer attribution to separate inherited
    base-image issues from ones your build introduced.
  </Step>

  <Step title="Apply Base-Image Upgrade Recommendations">
    When ZeroPath recommends a newer base, review how many findings the upgrade would remove and adopt it
    to clear the largest share of findings with a single change.
  </Step>

  <Step title="Enable Monitoring">
    Register production images with `zeropath container monitor <image>` so newly disclosed CVEs surface
    automatically on a schedule.
  </Step>
</Steps>