openshift-docs/modules/security-container-content-scanning.adoc

// Module included in the following assemblies:
//
// * security/container_security/security-container-content.adoc

:_mod-docs-content-type: CONCEPT
[id="security-container-content-scanning_{context}"]
= Security scanning in {op-system-base}

For {op-system-base-full} systems, OpenSCAP scanning is available
from the `openscap-utils` package. In {op-system-base}, you can use the `openscap-podman`
command to scan images for vulnerabilities. See
link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening[Scanning containers and container images for vulnerabilities] in the Red Hat Enterprise Linux documentation.

{product-title} enables you to leverage {op-system-base} scanners with your CI/CD process.
For example, you can integrate static code analysis tools that test for security
flaws in your source code and software composition analysis tools that identify
open source libraries to provide metadata on those libraries such as
known vulnerabilities.

[id="quay-security-scan_{context}"]
== Scanning OpenShift images

For the container images that are running in {product-title}
and are pulled from {quay} registries, you can use an Operator to list the
vulnerabilities of those images. The
link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup[{rhq-cso}]
can be added to {product-title} to provide vulnerability reporting
for images added to selected namespaces.

Container image scanning for {quay} is performed by the
link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/vulnerability_reporting_with_clair_on_red_hat_quay/index[Clair].
In {quay}, Clair can search for and report vulnerabilities in
images built from {op-system-base}, CentOS, Oracle, Alpine, Debian, and Ubuntu
operating system software.