Container Image Integration FAQ

Answers to frequently asked questions about scanning container images with Safeguard.sh.

General Questions

What container registries are supported?

Safeguard.sh supports:

Docker Hub
Amazon Elastic Container Registry (ECR)
Google Container Registry (GCR) / Artifact Registry
Azure Container Registry (ACR)
GitHub Container Registry (ghcr.io)
GitLab Container Registry
JFrog Artifactory
Harbor
Quay.io
Any OCI-compliant registry

What's the difference between image scanning and source code scanning?

Aspect	Source Code Scanning	Container Image Scanning
What's scanned	Package manifests in source	Installed packages in image layers
Dependencies found	Declared dependencies	Actually installed packages
OS packages	No	Yes
Build-time only deps	Included	Excluded (not in final image)

Do I need to pull images locally first?

No. Safeguard.sh connects directly to your registry and pulls images on-demand. You only need to provide registry credentials.

Authentication

How do I scan public images?

For public images (e.g., from Docker Hub):

Navigate to Integrations
Select Container Image → Public tab
Enter the image reference (e.g., nginx:latest)
Click Connect

No authentication required for public images.

What credentials do I need for private registries?

Registry	Credential Type
Docker Hub	Username + Access Token
Amazon ECR	AWS Access Key + Secret Key
Google GCR	Service Account JSON Key
Azure ACR	Service Principal or Admin User
Generic OCI	Username + Password/Token

Are my registry credentials stored securely?

Yes. All credentials are:

Encrypted at rest using AES-256
Never exposed in logs or UI after entry
Stored in isolated secure vaults
Only used to pull images during scans

Image References

What image reference formats are supported?

# Tag-based
registry.example.com/image:tag
nginx:1.21
myregistry.azurecr.io/myapp:v1.0.0

# Digest-based (most secure)
nginx@sha256:abc123def456...
myregistry.azurecr.io/myapp@sha256:abc123...

# Latest (implicit)
nginx
registry.example.com/image

Should I use tags or digests?

Method	Pros	Cons
Tags	Human-readable, easy to remember	Can be overwritten, mutable
Digests	Immutable, guaranteed same image	Long, harder to work with

Recommendation: Use digests for production scanning to ensure you're always scanning the exact same image.

Can I scan multi-architecture images?

Yes. By default, Safeguard.sh scans the platform matching the scanner (linux/amd64). To scan specific platforms:

In image configuration, specify the platform
Or use platform-specific tags (e.g., myimage:v1-arm64)

Scanning Process

What does Safeguard.sh scan in a container image?

OS packages - apt, yum, apk packages
Application dependencies - npm, pip, gem, etc.
Binaries - Go, Rust compiled binaries
Secrets - Accidentally included credentials (flagged as findings)
Configuration - Security misconfigurations

How long does an image scan take?

Scan time depends on:

Factor	Impact
Image size	Larger = longer
Number of layers	More = longer
Number of packages	More = longer
Network speed	Slower = longer

Typical times:

Small image (Alpine): 30 seconds - 1 minute
Medium image (Ubuntu): 1-3 minutes
Large image (Full OS + apps): 3-10 minutes

Why does my image have more vulnerabilities than my source code?

Container images include:

Base OS packages - The underlying OS has its own vulnerabilities
Build dependencies - Dependencies used during build that aren't in source
System libraries - libc, openssl, etc.
Outdated base images - Old base images have known vulnerabilities

Can I scan images before pushing to registry?

Yes, using the CLI:

# Build image locally
docker build -t myapp:test .

# Scan local image
safeguard scan --image myapp:test

# If scan passes, push to registry
docker push myregistry.com/myapp:test

Troubleshooting

"Image not found" error

Verify the image reference is correct
Check the tag exists in the registry
For private images, ensure credentials are configured
Try using the full image reference including registry

"Unauthorized" error

Verify credentials are correct
Check token/password hasn't expired
Ensure credentials have pull access
For ECR, check AWS credentials are valid

"Manifest unknown" error

The specified tag doesn't exist
Tag may have been deleted
Try listing tags in your registry to verify

Scan shows no dependencies

Image may be a minimal/scratch image
Dependencies might be statically compiled
Check if image has a shell to inspect: docker run -it image sh

Scan takes too long

Large images take longer
Try scanning a smaller base image first
Check network connectivity to registry
Contact support for very large images

Best Practices

Base Image Selection

Use minimal base images (Alpine, Distroless)
Use official images when possible
Pin base image versions (don't use latest)
Regularly update base images

Image Hygiene

Don't include build tools in final image (multi-stage builds)
Remove package manager caches
Don't include secrets or credentials
Use .dockerignore to exclude unnecessary files

Scanning Strategy

Scan images in CI/CD before pushing
Scan production images daily
Use webhooks for automatic scanning on push
Set up alerts for new critical vulnerabilities

Tag Management

Use semantic versioning for tags
Include git commit SHA in tags
Don't overwrite tags (use new tags for updates)
Maintain a latest tag for convenience

Advanced Topics

Scanning Distroless Images

Distroless images work with Safeguard.sh:

gcr.io/distroless/static
gcr.io/distroless/base
gcr.io/distroless/java

These images have fewer packages but may still have vulnerabilities in included components.

Scanning Windows Containers

Windows container images are supported:

mcr.microsoft.com/windows/servercore:ltsc2022
mcr.microsoft.com/dotnet/aspnet:6.0-windowsservercore-ltsc2022

Scanning may take longer due to larger image sizes.

Air-Gapped Environments

For air-gapped environments:

Export image: docker save myimage:tag > image.tar
Transfer to air-gapped system
Use CLI with offline mode: safeguard scan --image-file image.tar

Frequently Asked Questions