Image Scanning CLI Container Image

If you want to use cbctl without installing the binary, you can do so via the cbctl container image. All you need is to have docker installed.

The image repository is cbartifactory/cbctl.


The usage of the container image is the same as the CLI. Instead of cbctl invoke docker run cbartifactory/cbctl:<version>.

For example, to scan an image:

docker run cbartifactory/cbctl:<version> image scan <image>

For all available command see this page.

Note: We do not publish a `latest` tag for this image. You have to specify the tag for the version of `cbctl` you want to use.
For all available tags see


You can configure the containerized version of cbctl the same way you can configure the binary:

Config file

In order to use a config file you will need to mount a local one inside the container.

For example, if you have a local config file at ~/.cbctl/.cbctl.yaml you can mount this file inside the container in the following way:

docker run -v /.cbctl/:/root/.cbctl cbartifactory/cbctl:<version> image scan <image> -c /root/.cbctl/.cbctl.yaml

This will mean that the config for the cbctl running inside the container is the local ~/.cbctl/.cbctl.yaml file.

CLI Arguments

The CLI arguments you can pass are the same you pass to the binary:

docker run cbartifactory/cbctl:<version> image scan python --cb-api-key ABC123 --cb-api-id AB123 --org-key XYZ345 --saas-url

Environment Variables

The environment variables you can pass to the container are the same you pass to the binary:

docker run -e CBCTL_CB_API_KEY:ABC123 -e CBCTL_CB_API_ID:AB123 -e CBCTL_ORG_KEY:XYZ2345 -e CBCTL_SAAS_URL: cbartifactory/cbctl:<version> image scan python

Scanning a local image

When you run cbctl inside a container it does not have access to the container images on the host machine. If you try to scan such image, it will try to pull it from a remote registry (and fail if not able to find the image). If you want to scan a local image, you would need to mount the docker socket, so that cbctl has access to all images on the host machine. You can do that via the mount flag -v /var/run/docker.sock:/var/run/docker.sock:

docker run -v /.cbctl/:/root/.cbctl -v /var/run/docker.sock:/var/run/docker.sock cbartifactory/cbctl:<version> image scan <image> -c /root/.cbctl/.cbctl.yaml


By default, in debug mode cbctl writes the logs to a file (or creates one if it does not exist). However, by the ephemeral nature of containers that file will be lost once the container exits. In order to prevent this you can mount a local file to be used to output the logs:

docker run -it -v /tmp/cbctl_logs:/root/logs cbctl:photon image scan python --debug=/root/log/logs

This will create or use the existing logs file, which you can observe locally after the container has exited. In this example, locally the file can be found at /tmp/cbctl_logs/logs.

Image Versions

Versions of the cbctl image map one to one with the versions of the cbctl binary. For each release of the cbctl binary a container image with the same version is released as well.

For all image versions see

Give Feedback

New survey coming soon!

Last modified on February 7, 2023