Container Image Scanning¶

SentriKat agents scan Windows, Linux, and container images in a single pass. When Docker or Podman is detected on an endpoint, the agent automatically scans all local container images for vulnerabilities using Trivy, the industry-standard open-source security scanner.

Container scanning is part of SentriKat's multi-platform approach — the same agent that collects Windows products and Linux packages also handles container images, with no extra configuration or additional agent deployment needed.

How It Works¶

1. The SentriKat agent collects the regular software inventory (Windows products / Linux packages)
2. It detects Docker or Podman during the same scan cycle
3. Trivy is automatically downloaded and cached (~50MB, one-time)
4. All local images are scanned for HIGH and CRITICAL severity vulnerabilities
5. Results are sent to the SentriKat server alongside the regular software inventory
6. Container vulnerabilities appear in the dashboard, alerts, and reports

graph LR
    A[Agent] -->|Detects Docker| B[Trivy Scanner]
    B -->|Scans Images| C[JSON Results]
    C -->|POST /api/agent/container-scan| D[SentriKat Server]
    D -->|Store| E[Container Vulnerabilities]
    E -->|Display| F[Dashboard & Alerts]

Requirements¶

• Docker or Podman installed on the endpoint
• Internet access (for initial Trivy binary download and vulnerability database)
• Agent v1.2.0 or later

Configuration¶

Container scanning is enabled by default when Docker/Podman is detected.

Linux Agent¶

Set in /etc/sentrikat/agent.conf:

# Auto-detect (default) — scans if Docker/Podman found
CONTAINER_SCAN_ENABLED=auto

# Force enable
CONTAINER_SCAN_ENABLED=true

# Disable container scanning
CONTAINER_SCAN_ENABLED=false

Windows Agent¶

Container scanning runs automatically when Docker Desktop is detected. No additional configuration is needed.

What Gets Scanned¶

• OS packages: Alpine APK, Debian/Ubuntu dpkg, RHEL/CentOS rpm, etc.
• Application dependencies: pip (Python), npm (Node.js), Maven (Java), Go modules, Rust crates, Ruby gems
• Severity filter: Only HIGH and CRITICAL vulnerabilities are reported (configurable)

Licensing¶

Container scanning is included in the Professional Edition at no extra cost. It uses the existing agent deployment — no new agent needed. The same endpoint running Docker still counts as a single agent slot regardless of how many container images are scanned.

API Reference¶

Submit Container Scan Results¶

POST /api/agent/container-scan
X-Agent-Key: <your-api-key>
Content-Type: application/json

The request body should contain the Trivy JSON output for the scanned images.

List Container Images¶

GET /api/containers

Optional query parameters:

Get Image Details¶

GET /api/containers/<image_id>

Returns detailed vulnerability information for a specific container image.

Limits¶

Trivy Details¶

Troubleshooting¶

Trivy fails to download¶

Ensure the endpoint has internet access. Trivy needs to download its binary (~50MB) on first run and update its vulnerability database periodically.

If the endpoint is behind a proxy, configure the proxy settings in the agent configuration:

# /etc/sentrikat/agent.conf
HTTP_PROXY=http://proxy.example.com:8080
HTTPS_PROXY=http://proxy.example.com:8080

No container images found¶

Verify Docker or Podman is installed and running:

docker images
# or
podman images

The agent runs docker images (or podman images) to discover local images. If no images are present, no container scan will be performed.

Scan results not appearing in dashboard¶

1. Check agent logs for errors during the container scan phase
2. Verify the agent API key has permission to submit container scan results
3. Ensure the agent version is v1.2.0 or later