Docker / OCI
Introduction
JFrog Xray provides security and compliance analysis for Docker and OCI container images throughout the software development lifecycle. This page describes the supported scan contexts, capabilities, and analysis available for containers, split by scanning context.
Binary Scanning
Binary scanning analyzes container images stored in Artifactory Docker/OCI repositories. Xray unpacks image layers and scans all OS packages and application dependencies found within the image.
Supported Package Formats
| Container Format | Supported |
|---|---|
| Docker | ✅ |
| OCI | ✅ |
| Chainguard Images | ✅ |
What Gets Scanned Inside Containers
When scanning a container image, Xray identifies and analyzes:
- OS packages: Debian (dpkg), RPM, Alpine (apk)
- Application dependencies: npm, PyPI, Maven, Go, NuGet, etc.
- ML Models: HuggingFace ML and generic model formats
- Nested archives: Scans archives within image layers
Additional Information
- Container image scanning is binary-only – images must be pushed to Artifactory to be scanned
- Xray recursively unpacks image layers and scans all embedded packages
- Both Docker and OCI image formats are fully supported
- Multi-architecture images are supported
Updated 14 days ago