Find and fixUse the CLIUse a configuration fileContainer scanner

Container scanner

Last updated: Jun 25, 2026

Quick scan vs. configuration file

The containers SCA scanner supports two modes of operation.

Quick scan — analyze a single public image directly from the command line, without a configuration file:

cs scan alpine:3.17

This outputs a SARIF report by default.

Configuration file — use a YAML configuration file for more advanced scenarios: scanning private or ECR images, scanning multiple images at once, specifying custom output paths, or exporting an SBOM alongside a vulnerability report:

cs scan --config config.yaml

The rest of this page describes the configuration file options in detail.

For common configuration file keys that apply to all scanners, see Use a configuration file.

Specific configuration file keys

The following key is available for the Containers Scanning image, and it can be used to perform SCA analysis over container images.

containers_sca

This key contains an images list of container images to scan. Each entry supports the following options:

  • image_uri (mandatory): The URI of the container image to analyze. Accepts standard image references such as alpine:3.17.
  • image_config (optional): Additional settings for pulling and analyzing the image. See image_config options for details.

For example:

containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: registry.example.com/myapp:latest
      image_config:
        docker_credentials:
          docker_username: user
          docker_password: token

image_config options

The image_config sub-key supports the following options:

  • use_docker_daemon (optional): When set to true, the scanner connects to your local Docker daemon to analyze images stored locally. This is only available on Linux systems.
  • os_override (optional): Override the target OS for image analysis. Defaults to linux.
  • arch_override (optional): Override the target architecture for image analysis. Defaults to arm64.

For example, to scan an amd64 Windows image:

containers_sca:
  images:
    - image_uri: mcr.microsoft.com/windows/server:2022
      image_config:
        os_override: windows
        arch_override: amd64

  • docker_credentials (optional): Credentials for authenticating against a Docker-compatible registry:

    • docker_username: The registry username.
    • docker_password: The password or token with read access to the image.

    Both fields support the ${VAR_NAME} syntax — see example.

  • ecr_credentials (optional): Credentials for authenticating against AWS Elastic Container Registry (ECR). Accepts either static credentials or role assumption:

    Static credentials:

    • access_key_id (mandatory): AWS access key ID.
    • secret_access_key (mandatory): AWS secret access key.
    • session_token (optional): Required when using temporary credentials (i.e., when access_key_id starts with ASIA).
    • aws_region (optional): AWS region of the ECR registry. Defaults to us-east-1.

    access_key_id, secret_access_key, and session_token support the ${VAR_NAME} syntax — see example.

    Role assumption:

    • role_arn (mandatory): ARN of the IAM role to assume.
    • external_id (mandatory): External ID required for role assumption.
    • aws_region (optional): AWS region of the ECR registry. Defaults to us-east-1.

    Both role_arn and external_id support the ${VAR_NAME} syntax — see example.

Output configuration

Vulnerability report

Use the top-level output key to configure the vulnerability report:

  • file_path (optional): Path where the report will be written. Defaults to .fluidattacks-containers-sca-results.sarif or .fluidattacks-containers-sca-results.csv depending on the selected format.
  • format (optional): Report format. Accepted values: SARIF (default) or CSV.
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF

SBOM output

Use the sbom key to export a Software Bill of Materials (SBOM):

  • output.name (optional): Path where the SBOM will be written.
  • output.format (optional): SBOM format. Accepted values: fluid-json (default), cyclonedx-json, cyclonedx-xml, spdx-json, or spdx-xml.
sbom:
  output:
    name: /results/fluid-sbom.json
    format: fluid-json

Configuration file examples

Scanning a public image

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: alpine:3.17

Scanning an image from a private registry

language: EN
output:
  file_path: /results/fluid-attacks-results.csv
  format: CSV
containers_sca:
  images:
    - image_uri: registry.example.com/myapp:latest
      image_config:
        docker_credentials:
          docker_username: user
          docker_password: token

Scanning an ECR image with static credentials

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          access_key_id: access_key_id
          secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
          aws_region: us-east-1

Scanning an ECR image via IAM role assumption

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          role_arn: arn:aws:iam::123456789012:role/MyECRReadRole
          external_id: my-external-id
          aws_region: us-east-1

Scanning an image with envars

Credential fields accept the ${VAR_NAME} syntax. The scanner reads the value from the matching environment variable at scan time.

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: registry.example.com/myapp:latest
      image_config:
        docker_credentials:
          docker_username: user
          docker_password: ${REGISTRY_PASSWORD}
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          role_arn: arn:aws:iam::123456789012:role/MyECRReadRole
          external_id: ${ECR_EXTERNAL_ID}
          aws_region: us-east-1

Scanning a locally stored image (Linux only)

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: myapp:local
      image_config:
        use_docker_daemon: true

Scanning multiple images with SBOM export

namespace: my_app
language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
sbom:
  output:
    name: /results/fluid-sbom.json
    format: fluid-json
containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          role_arn: arn:aws:iam::123456789012:role/MyECRReadRole
          external_id: my-external-id

APK scanner

Learn to configure the scans of the Fluid Attacks APK scanner.

DAST scanner

Learn to configure the scans of the Fluid Attacks DAST scanner.

On this page

Quick scan vs. configuration fileSpecific configuration file keyscontainers_scaimage_config optionsOutput configurationVulnerability reportSBOM outputConfiguration file examplesScanning a public imageScanning an image from a private registryScanning an ECR image with static credentialsScanning an ECR image via IAM role assumptionScanning an image with envarsScanning a locally stored image (Linux only)Scanning multiple images with SBOM export