Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Container scanning overview
What is Invicti Container Security?
Invicti Container Security (CS) inspects container images for vulnerabilities, misconfigurations, exposed secrets, and license risks. By scanning images in container registries and Kubernetes clusters, it helps teams identify and remediate security issues before containers are deployed to production.
For Invicti AppSec Core, Invicti CS is pre-activated and ready to use. No manual setup or integration is required.
How it works
Invicti CS analyzes the contents of container images to build a complete inventory of their components. The scanning process includes:
- OS package analysis:identifies vulnerabilities in operating system packages installed in the image.
- Dependency scanning:detects known vulnerabilities in application-level libraries and dependencies within the container.
- Secrets detection:finds credentials, API keys, and other sensitive data embedded in container images.
- Configuration checks:flags insecure configurations such as containers running as root, missing resource limits, or missing health checks.
- SBOM generation:produces Software Bills of Materials in CycloneDX and SPDX formats for container images.
What it can discover
Invicti CS detects risks across the following categories:
| Category | Examples |
|---|---|
| Vulnerable OS packages | Outdated or known-vulnerable packages within the container image |
| Application dependency vulnerabilities | CVEs in libraries and frameworks bundled in the image |
| Exposed secrets | Hardcoded credentials, API keys, tokens, and certificates |
| Misconfigurations | Containers running as root, missing resource limits, elevated privileges |
| License risks | Open source license issues within container components |
| Outdated base images | Base images that are no longer maintained or missing critical security patches |
Runtime correlation
Invicti links container-level findings with exploitability data from DAST and IAST scans. This correlation helps teams understand which container vulnerabilities are actually exploitable in running applications, enabling better prioritization.
Invicti CS editions
Invicti AppSec supports two editions of container scanning:
| Edition | Package | Activation |
|---|---|---|
| Invicti CS | AppSec Core | Pre-activated, no setup required |
| Third-party CS tools | AppSec Enterprise | Requires manual activation under Integrations |
For AppSec Enterprise, supported third-party container scanning tools include Trivy, Grype, Qualys CS, and others. See Third-party scanners overview for the full list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center