Skip to main content
The endorctl container command allows you to scan container images, instrument them for reachability analysis, collect data from deployment environments, and perform registry operations.

Usage

The syntax of the endorctl container command is: 
endorctl container [command] [flags]
The following subcommands are supported:
  • scan: Scans a container image for vulnerabilities and security risks.
  • instrument: Instruments a container image with the dynamic profiling sensor.
  • collect: Collects data from the target deployment environment.
Use the endorctl container scan command instead of the deprecated endorctl scan --container command. See Container scan commands migration guide for more information.

Run the endorctl scan

Endor Labs supports the following methods of scanning container images:

Scan container images in a Git repository

Run the following command to scan a container image built in a specific repository. Specify the project path using the --path argument and the container image name using the --image argument. This associates the container with the Git repository and branch of the project. 
endorctl container scan --image=<image_name:tag> --path=users/janedoe/endorlabs/npm/exampleproject
You can also scan multiple container images as part of a single repository. 
endorctl container scan --image=<image_name1:tag> --path=users/janedoe/endorlabs/npm/exampleproject
endorctl container scan --image=<image_name2:tag> --path=users/janedoe/endorlabs/npm/exampleproject
endorctl container scan --image=<image_name3:tag> --path=users/janedoe/endorlabs/npm/exampleproject
You can tag findings with the corresponding container image name and tag. This lets you filter container-related findings in the user interface or through the API. 
endorctl container scan --image=<image_name:tag> --path=users/janedoe/endorlabs/npm/exampleproject --finding-tags=<image_name:tag>

Scan container images as a standalone project

Run the following command to scan a container image from a registry. Specify the project name using the --project-name argument, and the container image name and tag using the --image argument. 
endorctl container scan --image=<image_name:tag> --project-name=<endor_project_name>
To keep multiple versions of a container image in a container-only project, include the --as-ref flag. 
endorctl container scan --image=<image_name:tag> --project-name=<endor_project_name> --as-ref
You can tag findings with the corresponding container image name and tag. This lets you filter container-related findings in the user interface or through the API. 
endorctl container scan --project-name=<endor_project_name> --image=<image_name:tag> --as-ref --finding-tags=<image_name:tag>
Important
To associate a container scan with an existing SCA scan for a project, you must use the --path argument specifying the same project path used for the SCA scan. You cannot associate a container scan with an SCA scan for a project using the --project-name parameter.

Scan container image tarball

You can save a container image as a tarball and scan it with endorctl to generate a report containing dependencies, SBOM details, and security findings.
  1. Ensure that you have the container image available locally. 
    docker pull alpine:latest
  2. Export the image to a tarball file. 
    docker save alpine:latest -o alpine-latest.tar
  3. Perform the endorctl scan. 
    endorctl container scan --image=alpine:latest --project-name=<endor_project_name> --image-tar=/absolute/path/to/alpine-latest.tar
    • --image-tar must point to the absolute path of the tarball file.
    • --image=<name:tag> is optional but recommended. It explicitly identifies the container image inside the tarball.

Options

The following flags are supported for the endorctl container scan command.

Instrumented container reachability

Instrumented container reachability records which OS packages are used at runtime through a sensor in your image. Use endorctl container instrument to create the instrumented image. See Instrumented container reachability for more information. The following flags are supported for the endorctl container instrument command.

Collect container profiling data

The endorctl container collect command collects data from the target deployment environment, including profiling data from instrumented containers. See Instrumented container reachability for the full workflow. The following flags are supported for the endorctl container collect command:

Container registry scanning

A container registry is a centralized service that stores and distributes your container images. Endor Labs lets you scan images directly from your registry, giving you full visibility into the security posture of your containerized workloads at scale. Use the endorctl container registry commands to list and scan images stored in your registry.
  • List images from a registry: Use endorctl container registry list to preview which images match your filters before scanning. This lets you verify the scope and adjust filtering parameters such as --include, --exclude, --recent, and --limit. You can also save the results as a scan plan for the scan step.
  • Scan images from a registry: Use endorctl container registry scan to enumerate and scan container images from a registry in a single step. You can also provide a saved scan plan from the list command instead of enumerating the registry again.
Prerequisites for AWS ECR and Azure ACR registry scans
Install and configure the AWS CLI to use AWS ECR and the Azure CLI to use Azure ACR to authenticate and enumerate their corresponding container registries.

List command

The list command connects to your registry, enumerates container images based on your configured filters, and prints a summary with a table of image paths. You can also save the results as a scan plan to reuse with the scan command. 
endorctl container registry list --registry-type=<type> [options]
You can apply filters such as include, exclude, recent, and limit to narrow down the images returned. If you provide a namespace and API credentials, the saved plan automatically excludes already scanned images, so it is ready to scan only new or updated images. Filters are applied in the following order:
  1. include
  2. exclude
  3. recent
  4. limit
You can use the endorctl container registry list command with the following flags.

Scan command

The scan command runs Endor Labs container scans on a set of images. You can pass a saved scan plan from the list command or enumerate the registry with the same filter flags as list. The command pulls each image if needed, runs the scan, and by default removes pulled images after scanning. The --namespace and API credentials are required. Images that are already scanned are automatically skipped.
  • Scan using a saved scan plan: 
    endorctl container registry scan --namespace=<namespace> --scan-plan=<path> [options]
  • Scan using a registry type. When you do not use --scan-plan, pass --registry-type. 
    endorctl container registry scan --namespace=<namespace> --registry-type=<type> [options]
You can use the endorctl container registry scan command with the following flags.