Docker Image Scanning in CI/CD Pipelines

Note: This capability is currently in Early Access (EA) and is not generally available. To request access, please contact OX technical support.

OX Security supports scanning container images immediately after they are built in your CI/CD pipeline. This allows you to detect vulnerabilities at the earliest possible stage, before the image is pushed to a registry or used in any runtime environment.

The scan is performed as a dedicated pipeline step, using an OX-provided scanner image and configuration.

The integration runs within CI/CD pipelines for repositories that are monitored in OX.

First, you need to configure the container scanning and then you can view the results, as follows:

Pipeline Configuration

To scan Docker images during pipeline execution, you must add a new step to your CI/CD configuration. OX provides a Docker image published on Docker Hub that runs the scanner.

Prerequisites

OX CI/CD Integration key
Docker image name and tag to be scanned
CI/CD environment that supports injecting these values
CI/CD environment that supports mounting the host’s Docker socket into the container, OR providing remote access to the Docker daemon using TCP

Environment Variable

Description

Examples

DOCKER_HOST

Specifies the address of the Docker daemon.

unix:///var/run/docker.sock (default for local) tcp://192.168.1.100:2375 (for remote TCP)

System Requirements

Requirement Type

CPU

Memory

Minimum System Requirements

1 core

512 MB RAM

Recommended System Requirements

1–2 cores

1 GB RAM

Example: GitLab CI

image_scan:
  stage: scan
  image: oxsecurity/ox-image-scanner:latest
  variables:
    OX_API_KEY: <your_api_key>
    OX_ARTIFACT_NAME: <image_name>
    OX_ARTIFACT_TAG:  <image_tag>
    DOCKER_HOST: <docker_host_url or path_to_socket, defaults to unix:///var/run/docker.sock>
  script:
    - scan-image

Example: Azure

 - job: OX
        displayName: OX Security Image Scan
        steps:
          - script: |
              docker run \
                --rm \
                -e OX_API_KEY=<your_api_key> \
                -e OX_ARTIFACT_NAME=<image_name> \
                -e OX_ARTIFACT_TAG=<image_tag> \
                -e DOCKER_HOST=unix:///var/run/docker.sock \
                --env-file <(env | grep 'SYSTEM_\|BUILD_') \
                -v /var/run/docker.sock:/var/run/docker.sock \
                oxsecurity/ox-image-scanner:latest

Pipeline Workflow Configuration

After configuring the pipeline, you must define how OX handles the scan results. This is done in the Pipeline Workflows area of the OX platform.

To configure the workflow:

Go to Pipeline Workflows in the OX UI.
Drag the Container Security policy from the left panel into your active workflow.
Define actions based on issue severity or type (e.g., alert, block the pipeline).

Save the updated workflow.

Note: During early access, the Container Security policy is not part of the default workflow and must be added manually.

Last updated 24 days ago