Security scan process¶
Scans run on demand when you initiate them in the MSR web UI or automatically when you push an image to the registry.
Scanning process¶
MSR image scanning occurs in a service known as the dtr-jobrunner
container. To scan an image, MSR:
Extracts a copy of the image layers from the backend storage.
Extracts the files from the layer into a working directory inside the
dtr-jobrunner
container.Executes the scanner against the files in this working directory, collecting a series of scanning data.
Once the scanning data is collected, the working directory for the layer is removed.
Binary scan¶
The scanner first performs a binary scan on each layer of the image, identifies the software components in each layer, and indexes the SHA of each component in a bill-of-materials. A binary scan evaluates the components on a bit-by-bit level, so vulnerable components are discovered even if they are statically linked or use a different name.
The scan then compares the SHA of each component against the US National Vulnerability Database that is installed on your MSR instance. When this database is updated, MSR verifies whether the indexed components have newly discovered vulnerabilities.
Layers excluded from scanning¶
MSR has the ability to scan both Linux and Windows images. However, because Docker defaults to not pushing foreign image layers for Windows images, MSR does not scan those layers. If you want MSR to scan your Windows images, configure Docker to always push image layers, and it will scan the non-foreign layers.