Container image scanning for software decomposition

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:10分

    • The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.

    Container image scanning for software decomposition diagram

    Benefits of image scanning

    Scanning your containers gives you visibility into what's inside Kubernetes or Docker containers or OS packages. Scanning images can assist you in multiple ways.
    • It helps you identify software installed in containers for regulatory and compliance use cases.
    • It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies​.
    • It also helps you manage licensed software running in containers​.
    • You can also get the service context​ by using tags, and service mesh to understand their impact on your organization.

    Image scanning use cases with ITOM Visibility

    You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.

    Use case # 1
    Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.
    表 : 1. Visibility methods for use case # 1
    Visibility methods Method characteristics What's discovered
    Discovery and Service Mapping Patterns and Aqua Trivy:
    • Best suited for self hosted or cloud Kubernetes deployments with access to bearer tokens and credentials.
    • Supports public and self-hosted repository image scanning.
    • Pattern-based discovery without Cloud discovery:
      • Uses a bearer token.
      • Manually created Kubernetes discovery schedule per cluster.
    • Pattern-based discovery with Cloud discovery:
      • No bearer token required.
      • Uses cloud credentials.
      • Automatic creation of Kubernetes discovery schedule.
    • For more information on scanning images using Aqua Trivy, see Scan container images.

    Discovered using Discovery and Service Mapping Patterns:

    • Kubernetes clusters
    • Kubernetes Services
    • Kubernetes topology
    • Docker containers and images
    • Kubernetes deployment including OpenShift
    • Namespace
    • Labels and tags
    • Software in containers
    • Account region details can only be discovered by Cloud Discovery
    • Docker Pattern collects data about specific objects in a Docker engine, running on a Linux host
    For more information, see:
    Kubernetes Visibility Agent and Aqua Trivy:
    • Best suited for deployment by cloud native app teams.
    • Optional ability to monitor Kubernetes with AIOps.
    • For cloud environments, only AWS ECR (Public and Private) is supported.

    Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time.

    Use Kubernetes Explorer to download SBOM.

    Discovered using Kubernetes Visibility Agent

    • Kubernetes Namespaces
    • Nodes and Pods
    • Deployments
    • Statefulsets
    • Daemonsets
    • Replicasets
    • Jobs
    • Cronjobs
    • Services
    • Docker container
    • Docker image
    • Container repository
    • Account region details can only be discovered by Cloud Discovery
    Use case #2
    A compliance officer can generate an  SBOM  to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.
    表 : 2. Visibility methods for use case #2
    Visibility method Method characteristics
    Kubernetes pattern or Docker pattern SBOM creation is part of the container scanning.
    Kubernetes Visibility Agent SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery.
    Use case #3

    An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.

    表 : 3. Visibility methods for use case #3
    Visibility method Method characteristics What's discovered
    Kubernetes pattern Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns.
    • Kubernetes Clusters
    • Kubernetes Containers
    • Kubernetes Services
    • Labels
    • Pods
    • Images
    • Tags
    Kubernetes pattern with Cloud discovery Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. All the of the above and account or region details
    Use case #4
    An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.
    Visibility method Method characteristics What's discovered
    Horizontal Discovery of VM running Docker (Docker pattern) Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns. See: Docker virtualization

    Image scanning with Discovery and Service Mapping Patterns

    Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.

    Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.