Safeguard Documentation Center
Enterprise Software Supply Chain Manager (ESSCM)IntegrationsContainer Images

Container Images

Generate SBOMs from container images and registries

Container Images

Generate SBOMs from container images stored in various registries. Safeguard scans container layers to identify all dependencies and vulnerabilities.

Supported Registries

RegistryDescriptionPublicPrivate
Amazon ECRAWS Elastic Container Registry
Docker HubDocker Hub repositories
GCP Cloud SourceGoogle Cloud container sources
OCI RegistryOpen Container Initiative registries

Public vs Private Images

Public Images

For public container images, you only need to provide the image reference.

Workflow:

  1. Navigate to Integrations
  2. Click Connect on the container registry
  3. Select Public tab
  4. Enter the image reference (e.g., nginx:latest)
  5. Configure project settings
  6. Click Connect

Private Images

Private container registries require authentication credentials.

Workflow:

  1. Navigate to Integrations
  2. Click Connect on the container registry
  3. Select Private tab
  4. Enter registry credentials
  5. Click Verify Credentials
  6. Browse and select images
  7. Configure project settings
  8. Click Connect

Credential Requirements

RegistryCredential Type
Amazon ECRAWS Access Key ID + Secret Access Key
Docker HubUsername + Access Token
GCP Cloud SourceService Account JSON Key
OCI RegistryUsername + Password/Token

What Gets Scanned

When scanning container images, Safeguard analyzes:

  • Base image layers - Identify the parent image and its dependencies
  • Package managers - Detect packages from apt, yum, apk, npm, pip, etc.
  • Application dependencies - Find libraries and frameworks
  • Configuration files - Identify manifest files and configs
  • Embedded binaries - Scan compiled binaries for known components

Best Practices

  • Scan specific tags - Use specific version tags instead of latest
  • Regular scans - Enable continuous scanning to catch new vulnerabilities
  • Scan before deployment - Integrate with CI/CD pipelines
  • Use minimal base images - Reduce attack surface with slim images

Next Steps

Choose your container registry to see detailed configuration instructions:

Git (Generic)

Connect any Git repository using a generic Git URL

Amazon ECR

Connect AWS Elastic Container Registry to generate SBOMs

On this page

Container ImagesSupported RegistriesPublic vs Private ImagesPublic ImagesPrivate ImagesCredential RequirementsWhat Gets ScannedBest PracticesNext Steps