Software vulnerabilities are weaknesses that can either cause an accidental system failure or be intentionally exploited. On-Demand Scanning allows you to manually scan container images for vulnerabilities.
This page describes manual scanning with On-Demand Scanning. If you want to learn about automatic scanning see the vulnerability scanning documentation.
With On-Demand Scanning you can scan container images locally on your computer, in
Container Registry, or in Artifact Registry, using the
This gives you the flexibility to customize your CI/CD pipeline, depending on
when you need to access the vulnerability results. See
pricing to learn more about the costs associated
with scanning container images.
On-Demand Scanning supports package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:
- National Vulnerability Database
- Red Hat Enterprise Linux
- CentOS - Red Hat and CentOS share the same source of vulnerability data. Because CentOS packages are published after Red Hat packages, a fix available for a vulnerability in Red Hat may take some time to also be available for CentOS.
On-Demand Scanning supports vulnerability scanning for the following OS versions:
- Debian GNU/Linux - Versions: 9, 10, 11, 12, 13
- Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10
- Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13
- CentOS - Versions: 6, 7, 8 and minor versions
- Redhat - Versions: 6, 7, 8 and minor versions
Severity levels for vulnerabilities
On-Demand Scanning uses the following severity levels:
The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.
Two types of severity are associated with each vulnerability:
Effective severity - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, On-Demand Scanning uses the severity level assigned by the note provider.
For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.
- Get started with On-Demand Scanning.
- Understand the differences between manual and automatic scanning