Configuring scans on Docker containers

Available from 9.2.5. Discovery of software that is installed in Docker or Podman containers is enabled by default. In some environments, you might need to perform additional steps to specify a non-default installation path, or to exclude directories from scanning.

For information about requirements and how software that is installed in containers is reported in BigFix Inventory, refer to Discovering software in Docker containers.
Specifying a non-default installation path for engine
Note: To check whether the Docker is installed in the default installation path, run the following command. 
$ docker version
If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.
If Docker or Podman is installed in a non-default path or Podman, add this path as a setting of the BigFix client, so that the software can be successfully discovered.
  1. Check the engine installation.
    1. To check whether the Docker is installed in the default installation path, run the following command.
      $ docker version

      If the result of the command is a Docker version, the Docker is installed in the default installation path. Any other outcome indicates that the Docker is installed in a non-default path.

    2. To check whether the Podman is installed in the default installation path and that the docker command is correctly redirected to the podman command, run the following command.
      $ docker version
      Note: The command intentionally refers to the docker command instead of directly to the podman command to check the correctness of the redirection configuration.

      If the result of the command is a Podman version, the Podman is installed in the default installation path and the podman command is correctly redirected. Any other outcome indicates that the Podman is installed in a non-default path or podman command is not correctly redirected.

  2. Log in to the BigFix console, and click Computer Management > Computers.
  3. Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
  4. Add a computer setting. Specify the name as DOCKER_EXEC, and provide an absolute path as the value, for example /usr/bin/docker or /usr/bin/podman.
Specifying additional command options
By default, the scan runs the docker command without any options. If you want to use additional options provided by Docker or Podman, for example -H (daemon socket to connect to), add these options as a new setting of the BigFix client. Enter all options in one setting.
  1. Log in to the BigFix console, and click Computer Management > Computers.
  2. Right-click on the computer that has the Docker or Podman installed, and click Edit Computer Settings.
  3. Add a computer setting. Specify the name as DOCKER_OPTS, and provide options as the value, for example -H unix:///var/run/docker.sock.
Excluding directories from scans
The default Docker file system directory /var/lib/docker and the default Podman file system directory /var/lib/containers are excluded from scanning. If you change the engine file system directory to a custom directory, you need to manually exclude it from scanning because it might cause duplicated discoveries. For more information, see: Excluding directories.