Disabling scans on Docker containers

Available from 9.2.5. By default, BigFix Inventory scans all Docker containers that are deployed on computers where the BigFix client is installed. If you do not want to scan the containers but still want to monitor the host computer, change the value of the DOCKER_SCAN parameter on the host computer.

About this task

You can disable software discovery on all containers that are deployed on a host computer. You cannot disable it on a subset of containers only.

Procedure

  1. Log in to the BigFix console, and click Computers.
  2. Select the host computer on which Docker containers are deployed, and click Edit Settings.
  3. Click Add. Specify DOCKER_SCAN as the setting name, and false as the setting value. Then, click OK.

    Setting the DOCKER_SCAN parameter.

Results

Docker containers are no longer scanned. Scan results remain in the <BES Client>/LMT/CIT/docker/containers directory on the host computer but the directory itself is added to the list of excluded directories. Thus, the results are not transferred to BigFix Inventory.
Important: The Docker file system directory /var/lib/docker might contain copies of software ID tags. When the Docker scan is enabled, the directory is excluded from scanning to avoid duplicated software discovery. When you disable the Docker scan, the directory is included back into regular scans.

If you want to re-enable the scans of Docker containers, change the value of the DOCKER_SCAN parameter to true.