CONTAINER SCANNING
Container Scanning
Scan the container images you actually ship for OS-package and bundled-dependency vulnerabilities. Get per-layer findings, the one base-image upgrade that clears the most CVEs, and scheduled re-scans, all tracked alongside your SAST and SCA results.
Analyze the built image you deploy, not just the source it came from, by registry reference, from a private registry, or from an uploaded archive.
Every vulnerability is tied to the image layer that introduced it, so you know whether it came from your base image or your own build steps.
ZeroPath measures the exact base-image upgrade that removes the most findings, so one change fixes many CVEs at once.
What Container Scanning Covers
The full contents of your built image, the operating system and everything bundled on top of it, whether it lives in a public or private registry or arrives as a local archive.
OS Packages
Known vulnerabilities in the distribution packages and system libraries baked into your base image and build steps, the CVEs a source scan never sees.
Bundled Dependencies
Vulnerable application dependencies copied or installed into the image during the build, including packages that never appear in your source manifests.
Layer Provenance
Per-layer attribution ties each finding to the exact layer that introduced it, distinguishing inherited base-image issues from ones your build added.
Private & Air-Gapped Images
Scan images behind authentication with stored, encrypted registry credentials, or upload an image archive to scan artifacts that cannot be pulled by reference.
Base-Image Upgrade Guidance
Fix the Most Vulnerabilities With the Fewest Changes
Most container CVEs come from the base image. ZeroPath detects your base, then scans the candidate upgrade to report exactly how many of your current findings it removes, a measured number, not a guess.
Detected-Base Recommendations
ZeroPath identifies your base image and recommends a newer stable base when one exists.
Measured Impact
We scan the candidate base and report the real number of findings the upgrade clears, so you can prioritize with evidence.
Prioritized Fixes
Focus remediation where a single layer change resolves many issues at once instead of chasing CVEs one by one.
How it works
- 1
Point ZeroPath at an image
Give it a registry reference, private-registry credentials, or an uploaded archive.
- 2
We pull and analyze it
OS packages and bundled dependencies are scanned and each finding is attributed to its layer.
- 3
Get the highest-leverage fix
See the base-image upgrade that removes the most findings, with the exact count.
Scheduled Monitoring
Keep Watching the Images in Production
Images don't change, but the vulnerability landscape does. Put an image on a recurring re-scan schedule so newly disclosed CVEs surface, and base-image guidance stays current, without a manual re-run.
Part of Supply Chain
One View Across Your Supply Chain
Container findings are tracked as first-class issues, right next to your dependency analysis and code findings. Source-level risk and image-level risk live side by side, so your team sees everything that ships in production in one place.
Unified Triage
Severity-rated findings flow into the same issues view, status workflow, and notifications as the rest of ZeroPath.
Mapped to Your Repositories
Each image maps to the repository that owns it, so container risk shows up where the team already works.
Severity-Rated Findings
Critical/High/Medium/Low ratings let you triage real-world impact instead of generic advisories.
SAST + SCA + Containers
From Source to Shipped Image
Cover the whole path to production in one platform, from the code you write to the image you deploy.
- SAST finds issues in your code
- SCA covers your declared dependencies
- Container scanning covers what actually ships
