Linux distributions

The following Linux distributions are supported for hosts and containers scans:

Operating SystemSupported VersionsPackage ManagersSecurity Advisories
Alpine Linux2.2-2.7, 3.0-3.19 (edge is not supported)apkhttps://secdb.alpinelinux.org/
Wolfi LinuxN/Aapkhttps://packages.wolfi.dev/os/security.json
ChainguardN/Aapkhttps://packages.cgr.dev/chainguard/security.json
Red Hat Enterprise Linux6, 7, 8dnf/yum/rpmhttps://www.redhat.com/security/data/metrics/ and https://www.redhat.com/security/data/oval/v2/
CentOS6, 7, 8dnf/yum/rpmhttps://www.redhat.com/security/data/metrics/ and https://www.redhat.com/security/data/oval/v2/
AlmaLinux8, 9dnf/yum/rpmhttps://errata.almalinux.org/
Rocky Linux8, 9dnf/yum/rpmhttps://download.rockylinux.org/pub/rocky/
Oracle Linux5, 6, 7, 8dnf/yum/rpmhttps://linux.oracle.com/security/oval/
CBL-Mariner1.0, 2.0dnf/yum/rpmhttps://github.com/microsoft/CBL-MarinerVulnerabilityData/
Amazon Linux1, 2, 2023dnf/yum/rpmhttps://alas.aws.amazon.com/
openSUSE Leap42, 15zypper/rpmhttp://ftp.suse.com/pub/projects/security/cvrf/
SUSE Linux Enterprise11, 12, 15zypper/rpmhttp://ftp.suse.com/pub/projects/security/cvrf/
Photon OS1.0, 2.0, 3.0, 4.0tdnf/yum/rpmhttps://packages.vmware.com/photon/photon_cve_metadata/
Debian GNU/Linux7, 8, 9, 10, 11, 12 (unstable/sid is not supported)apt/dpkghttps://security-tracker.debian.org/tracker/ and https://www.debian.org/security/oval/
UbuntuAll versions supported by Canonicalapt/dpkghttps://ubuntu.com/security/cve

Software Composition Analysis

The following languages are supported for Software Composition Analysis scans on containers and Lambda instances:

LanguageSupported Package ManagerSupported Files
RubybundlerGemfile.lock, gemspec
.NETnugetpackages.lock.json, packages.config, .deps.json, *packages.props
GomodBinaries built by Go, go.mod
JavaGradle, Mavenpom.xml, *gradle.lockfile, JAR/WAR/PAR/EAR (with pom.properties)
Node.jsnpm, pnpm, yarnpackage-lock.json, yarn.lock, pnpm-lock.yaml, package.json
PHPcomposercomposer.lock
Pythonpip, poetrypipfile.lock, poetry.lock, egg package, wheel package, conda package

Container runtimes

The following container runtimes are supported:

  • containerd: v1.5.6 or later
  • Docker

Note for container observations: Agentless Scanning requires uncompressed container image layers. As a workaround, you can set the configuration option discard_unpacked_layers=false in the containerd configuration file.

PREVIEWING: safchain/fix-custom-agent