Scanning containers for vulnerabilities with OpenSCAP and Podman

Containers are no more secure than physical machines. Find out how to scan your containers for vulnerabilities with the oscap-podman utility, available in Red Hat Enterprise Linux (RHEL) 8.2.

One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.

It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.