Overview
Perform security vulnerability scans on Docker images using integrated scanners (Grype or Trivy). Results are saved to the database and can be retrieved for historical analysis.Endpoint
Query Parameters
Environment ID containing the image to scan. Optional for local environments.
Request Body
Image name or ID to scan:
nginx:latestubuntu:22.04sha256:abc123...
Force specific scanner:
grype or trivy. If not specified, uses environment scanner settings.Authentication
Requiresimages:inspect permission for the specified environment.
Response Format
Returns job ID for progress tracking:Accept: application/json, returns scan results directly.
Progress Events
Scanning Stage
Analyzing Stage
Processing Stage
Complete
Error
Scan Result Schema
Image identifier (SHA256 hash)
Human-readable image name with tag
Scanner used:
grype or trivyISO 8601 timestamp when scan completed
Scan duration in milliseconds
Vulnerability count by severity:
critical: Critical severity (CVSS 9.0-10.0)high: High severity (CVSS 7.0-8.9)medium: Medium severity (CVSS 4.0-6.9)low: Low severity (CVSS 0.1-3.9)negligible: Negligible/informationalunknown: Unknown severity
Array of vulnerability objects
Vulnerability Object
CVE identifier or vendor-specific ID
Severity level:
critical, high, medium, low, negligible, unknownAffected package name
Installed package version
Version containing the fix (if available)
Vulnerability description
Reference URLs for more information
Implementation
Retrieve Cached Results
Get the latest scan results for an image without running a new scan:Query Parameters
Image name or ID
Environment ID
Filter by scanner:
grype or trivyResponse
Usage Examples
Scan with Default Scanner
Force Specific Scanner
Get Cached Results
Stream Progress (JavaScript)
Filter Critical Vulnerabilities
Supported Scanners
Grype
Fast, accurate vulnerability scanner by Anchore:- Language-specific package scanning
- OS package scanning
- Database automatically updated
- Supports offline scanning
Trivy
Comprehensive security scanner by Aqua Security:- Vulnerability scanning
- Misconfiguration detection
- Secret detection
- License scanning
Error Responses
Missing required parameter
Permission denied
Scan failed
Scan-on-Pull Integration
Scans are automatically triggered when pulling images (if configured):Related Operations
- Pull Image - Automatic scan-on-pull
- List Images - View available images
- Scanner Configuration - Configure scanner settings
Notes
- Results are automatically saved to database
- Multiple scanners can be configured simultaneously
- Scan duration typically ranges from 5-30 seconds depending on image size
- Progress events provide real-time feedback
- Cached results can be retrieved without re-scanning
- Scanner selection follows environment configuration
- Scan-on-pull integration is automatic when scanner is configured
