`vulkro container`

Trivy-lite - scan a built container image's installed packages against the local CVE bundle. Supports apk + deb (rpm coming soon).

Usage

vulkro container <IMAGE> [--format FMT] [--save]

Arguments

Argument	Description
`IMAGE`	Either a Docker reference (e.g. `alpine:3.19`) or a path to a `.tar` produced by `docker save`.

Flags

Flag	Description	Default
`--format <FMT>`	Same format set as `vulkro scan`.	`table`
`--save`	Persist the scan to history. Off by default - container scans are usually one-shot CI checks.	(false)

How it works

When given a Docker reference, Vulkro shells out to the local docker save to materialise the image as a tar, then walks the layers for installed package metadata:

/lib/apk/db/installed for Alpine (apk).
/var/lib/dpkg/status for Debian / Ubuntu (deb).

Packages are matched against the CVE bundle the same way vulkro scan matches package.json / requirements.txt / Cargo.lock. KEV / EPSS decoration applies.

Air-gap

If docker is missing, pre-save the tar elsewhere:

docker save alpine:3.19 -o alpine.tar
vulkro container ./alpine.tar

Usage​

Arguments​

Flags​

How it works​

Air-gap​

Related​

Usage

Arguments

Flags

How it works

Air-gap

Related