Image Scanning CLI Container Image
If you want to use
cbctl without installing the binary, you can do so via the
cbctl container image.
All you need is to have
The image repository is
The usage of the container image is the same as the CLI.
docker run cbartifactory/cbctl:<version>.
For example, to scan an image:
docker run cbartifactory/cbctl:<version> image scan <image>
For all available command see this page.
Note: We do not publish a `latest` tag for this image. You have to specify the tag for the version of `cbctl` you want to use.
For all available tags see https://hub.docker.com/repository/docker/cbartifactory/cbctl/tags.
You can configure the containerized version of
cbctl the same way you can configure the binary:
In order to use a config file you will need to mount a local one inside the container.
For example, if you have a local config file at
~/.cbctl/.cbctl.yaml you can mount this file inside the container in the following way:
docker run -v /.cbctl/:/root/.cbctl cbartifactory/cbctl:<version> image scan <image> -c /root/.cbctl/.cbctl.yaml
This will mean that the config for the
cbctl running inside the container is the local
The CLI arguments you can pass are the same you pass to the binary:
docker run cbartifactory/cbctl:<version> image scan python --cb-api-key ABC123 --cb-api-id AB123 --org-key XYZ345 --saas-url https://defense.conferdeploy.net/containers
The environment variables you can pass to the container are the same you pass to the binary:
docker run -e CBCTL_CB_API_KEY:ABC123 -e CBCTL_CB_API_ID:AB123 -e CBCTL_ORG_KEY:XYZ2345 -e CBCTL_SAAS_URL:https://defense.conferdeploy.net/containers cbartifactory/cbctl:<version> image scan python
Scanning a local image
When you run
cbctl inside a container it does not have access to the container images on the host machine.
If you try to scan such image, it will try to pull it from a remote registry (and fail if not able to find the image).
If you want to scan a local image, you would need to mount the docker socket, so that
cbctl has access to all images on the host machine.
You can do that via the mount flag
docker run -v /.cbctl/:/root/.cbctl -v /var/run/docker.sock:/var/run/docker.sock cbartifactory/cbctl:<version> image scan <image> -c /root/.cbctl/.cbctl.yaml
By default, in debug mode
cbctl writes the logs to a file (or creates one if it does not exist).
However, by the ephemeral nature of containers that file will be lost once the container exits.
In order to prevent this you can mount a local file to be used to output the logs:
docker run -it -v /tmp/cbctl_logs:/root/logs cbctl:photon image scan python --debug=/root/log/logs
This will create or use the existing logs file, which you can observe locally after the container has exited.
In this example, locally the file can be found at
Versions of the
cbctl image map one to one with the versions of the
For each release of the
cbctl binary a container image with the same version is released as well.
For all image versions see https://hub.docker.com/repository/docker/cbartifactory/cbctl/tags.
Use this form to give us feedback about this site or any of the documentation.
Last modified on February 7, 2023