Security scan process

Scans run on demand when you initiate them in the MSR web UI or automatically when you push an image to the registry.

Scanning process

MSR image scanning occurs in a service known as the dtr-jobrunner container. To scan an image, MSR:

  1. Extracts a copy of the image layers from the backend storage.

  2. Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

  3. Executes the scanner against the files in this working directory, collecting a series of scanning data.

  4. Once the scanning data is collected, the working directory for the layer is removed.

Binary scan

The scanner first performs a binary scan on each layer of the image, identifies the software components in each layer, and indexes the SHA of each component in a bill-of-materials. A binary scan evaluates the components on a bit-by-bit level, so vulnerable components are discovered even if they are statically linked or use a different name.

The scan then compares the SHA of each component against the US National Vulnerability Database that is installed on your MSR instance. When this database is updated, MSR verifies whether the indexed components have newly discovered vulnerabilities.

Layers excluded from scanning

MSR has the ability to scan both Linux and Windows images. However, because Docker defaults to not pushing foreign image layers for Windows images, MSR does not scan those layers. If you want MSR to scan your Windows images, configure Docker to always push image layers, and it will scan the non-foreign layers.