Skip to main content

Container Image Scanning

How Intruder scans your container images for known vulnerabilities, how to add container image targets, and what registries are supported.

Written by Joe Haigh
Updated today

This article assumes you have your cloud integration already established. If you don't, you can add them by following the relevant guide:
AWS integration (connected registry: AWS ECR)
GCP integration (connected registry: GCP Artefact Registry)
Azure integration (connected registry: Azure Container Registry)

What is container image scanning?

Container image scanning helps you detect vulnerabilities in your Docker images before and after deployment. Instead of scanning every version of every image you've ever built, Intruder lets you focus on what matters: the images you're actually running in production, staging, or other environments.

This guide will walk you through adding your first container image target and explain how tag rules work to keep your scanning focused and efficient.

Adding your first image target

Step 1: Navigate to discovery

  • Go to Discovery

  • In the Target Recon section, click Container images

Step 2: Find your image

  • You'll see a list of all container images discovered across your connected cloud integrations (AWS ECR, GCP Artifact Registry, Azure Container Registry).

The table shows:

  1. Image name: The name of the image within your registry

  2. Account name: The cloud account name where your image is stored

  3. Registry name: The full registry URL where the images are hosted

  4. Tag name : Tag identifier used to specify a particular version of the image

  5. Last pushed timestamp: When this image was last pushed to the registry

  6. Added target: A combination of the image and tag that has been added as a target

  7. Cloud account: The cloud account where this image is stored

Step 3: Add a target

  • Find the image you want to scan in the list

  • Click the Add Target button for that image

  • In the modal that appears, enter one or more tag rules (see "Understanding tag rules" below)

  • Click Add Target and Start Scan

What happens next:

  • A new target is created with the format imagename:tagrule

  • The scan begins immediately

Once added, the container image target will appear on your Targets page, and Intruder will begin scanning it automatically (and enrol it in daily scans moving forward).

You can view the scan on the Scans Page:

Understanding tags

Tag rules let you specify which container image versions to scan by matching tag patterns.

Why tag rules matter

Container images are immutable—when you update your code, you build a new version of the image rather than modifying the existing one. A single image like webapp might have hundreds of versions:

  • webapp:production-abc123

  • webapp:production-xyz789

  • webapp:staging-def456

  • webapp:dev-feature-x

  • webapp:v1.0.0

  • webapp:v1.0.1

  • ... and so on

You don't want to scan all of them. You want to scan the versions that are actually deployed or about to be deployed.

Tag rules solve this by letting you say: "Only scan images with tags matching this pattern."

The core concept

When you create a target for container image scanning, you specify:

  1. Image name (e.g., webapp, api-service)

  2. Tag rule (e.g., production*, latest, v*)

Each combination of image + tag rule becomes one target and consumes one license. For example:

  • Target + rule 1: webapp:production* → 1 license

  • Target + rule 2: webapp:v* → 1 license

  • Target + rule 3: api-service:latest → 1 license

Total: 3 targets, 3 licenses

Tag Rule types

🏷️ Exact Match

Match a single, specific tag. Eg: latest

  • Scans only images tagged exactly as latest

  • When you push a new image with the latest tag, we scan that new version

Use when: You have a single tag that always points to your deployed version

🏷️ Wildcard Pattern

Match multiple tags using the * symbol, which matches one or more characters. You can place wildcards anywhere: start, middle, end, or multiple positions. Pattern examples:

  • Single wildcard at the end:

    • Pattern: production-*

    • Matches: production-v1, production-latest, production-abc123

  • Single wildcard at the beginning:

    • Pattern: *-stable

    • Matches: v1-stable, release-stable, 2026-stable

  • Two wildcards (beginning and end):

    • Pattern: *-release-*

    • Matches: v1-release-candidate, staging-release-2026, app-release-final

  • Two wildcards (middle positions):

    • Pattern: app-*-prod-*

    • Matches: app-web-prod-v1, app-api-prod-latest, app-service-prod-2024

Use when: You use a consistent naming convention.

Which tag gets scanned?

When a tag rule matches multiple tags, we scan the most recently pushed tag.

What happens when you push new images

We check every 5 minutes to see if your configured tag now points to a new image version and if it does, we kick off a new scan.

Managing your targets

Viewing your container image targets

On the Container Images page, you can see:

  • All images discovered across your cloud integrations

  • All tags associated with each image

  • Which images you've added as targets

Filter to show only targets:

  • Use the "Show targets only" filter at the top right of the table

  • This displays only images that have active tag rules configured

Adding additional tag rules to an existing target

If you've already added an image as a target and want to monitor additional tags:

  1. Find the target in the Container Images table (use "Show targets only" filter if helpful)

  2. Click the pencil icon on the target row

  3. Add the new tag rule in the modal

  4. Click Save

What happens:

  • A new target is created with the format imagename:newtagrule

  • An additional license is consumed

  • The new tag begins scanning immediately

Removing tag rules

If you want to stop scanning a specific tag rule:

  1. Find the target you want to remove

  2. Click the delete button on the target row

  3. Confirm deletion

What happens:

  • The target is permanently deleted

  • The license is released after the 30-day lock period elapses

  • All scan history for that target is retained for audit purposes

Important: If an image has multiple tag rules and you delete one, only that specific rule (target) is removed. Other tag rules for the same image continue scanning.

Viewing issues found

Each vulnerability found is reported as an issue in Intruder, with severity ratings, affected package details, and remediation guidance where available.

You can view the issues we found from the container scan in three places:

(1) Issues page:

(2) Target Detail page for the container:

(3) The Scan Details page:

FAQs

What happens if the portal reports "No container images discovered"?

In that case, you just need to hit the Refresh button on the relevant cloud integrations page. For example:

What if I don't see any tags for my image?

If an image shows no tags in the discovery table, you won't be able to add it as a target yet. This typically happens when:

  • The image exists in your registry but has never been tagged

  • Tags haven't synced yet (we refresh every 2 hours with cloud targets)

To fix this:

  1. Go to your container registry (AWS ECR, GCP Artifact Registry, or Azure Container Registry)

  2. Create at least one tag for the image (e.g., production, latest, v1.0)

  3. Wait for the next sync (up to 2 hours) or contact support to trigger a manual refresh

  4. Return to the Discovery page and add the target

Do I need to reconfigure my existing cloud integrations?

If your cloud integration already has the permissions needed for cloud security scanning, container images will be discovered automatically. If you have an older integration with limited permissions, some images might not appear. See the setup guides linked below:

What registries does Intruder support?

Container images are discovered through your connected cloud integrations:

Cloud provider

Registry

AWS

Amazon Elastic Container Registry (ECR)

GCP

Google Container Registry / Artefact Registry

Azure

Azure Container Registry

Note: Support for additional registries (Docker Hub, GitHub Container Registry, GitLab Container Registry) is planned for upcoming releases.

Can I manually trigger a scan?

No - container image targets are scanned automatically (like cloud security scans). Three situations that will trigger a scan:

Event

What happens

Target created

A scan is scheduled immediately after you add a container image target

New image version detected

If the image behind a monitored tag changes (e.g. you re-tag production to a new release), we detect the change and automatically schedule a new scan. We check if your configured tag points to a new version every 5 minutes

Recurring daily monitoring

We ensure each target is scanned at least once every 24 hours to catch newly disclosed CVEs

How long do the scans take?

About 10 mins per image.

What happens if I push a new image version?

We check every 5 minutes to see if your configured tag now points to a new image version. For example:

  1. Initial state: You have target webapp:production-*

  2. Currently scanning: production-19281 (pushed Monday)

  3. Tuesday: You push a new image tagged production-aaabab

  4. Within 5 minutes: We detect the new tag matches your pattern production*

  5. Automatic action: We start scanning production-aaabab

What happens to old scan results?

  • Previous scan of production-19281 stays in your scan history

  • You can view it in the Scans section

What happens to the current target view?

  • The target webapp:production-* now shows results from production-xzy99

  • Issues found in production-19281 that are no longer present in production-xzy99 are marked as fixed

What happens to in-progress scans?

If a scan is already running when we detect a new tag:

  1. The current scan completes

  2. A new scan of the updated version starts immediately after, which you can view on the Scans page.

How does licensing work?

Each tag rule creates one target and consumes one infrastructure license.

The number of tags that match your pattern does NOT affect licensing. Whether production* matches 2 tags or 50 tags, it's still one target = one license. Only the most recently pushed tag will be scanned. For example:

Scenario 1: Adding only 1 rule for an image

  • Image: webapp

  • Tag rule: production

  • Matches: 47 tags matching production
    (Only the most recently pushed tag from these 47 will be scanned)

  • Cost: 1 target, 1 license

Scenario 2: Multiple Rules For 1 Image

  • Image: webapp

  • Tag rule 1: production*

    • Matches 50 tags
      (Only the most recently pushed tag from these 50 will be scanned)

  • Tag rule 2: staging*

    • Matches 36 tags
      (Only the most recently pushed tag from these 36 will be scanned)

  • Tag rule 3: v*

    • Matches 600 tags
      (Only the most recently pushed tag from these 600 will be scanned)

  • Cost: 3 targets, 3 licenses


Do container image scans appear in my reports?

Yes - container image vulnerabilities appear as issues in the portal and are included in your reporting.

Can I create multiple targets for the same image?

Yes. You can create multiple targets for the same image with different tag rules. Example Use Case: Separate Production and Staging targets; both targets are the same image: webapp.

Target 1:

  • Image: webapp

  • Tag rule: production*

  • Taget name: webapp:production*

  • Scans: production-19281

  • Use: Monitor your live production environment

Target 2:

  • Image: webapp

  • Tag rule: staging*

  • Target name: webapp:staging*

  • Scans: staging-abc123

  • Use: Catch issues before deploying to production

Licensing: 2 targets = 2 licenses (one for each tag rule)

Why this matters: You can create separate targets for the same image with different tag rules to independently monitor different environments. Deleting the staging-* target won't affect your production-* scans.

Related Articles
Will Intruder's scans damage my systems?
Can Intruder Scan Single-Page Applications?
What is Cloud sync, and how do I use it?
GregAI: Your AI Assistant in Intruder
Did this answer your question?