Security Scanning

Zenithal includes built-in vulnerability scanning powered by Trivy and Grype. Scan any local image to detect CVEs across all layers, then remediate vulnerabilities directly in running containers or export Dockerfile fixes — all without leaving the app.

1. Go to Images in the sidebar
2. Select an image
3. Click the Scan button
4. Choose your scanner: Trivy or Grype (must be installed)
5. View the vulnerability report with severity ratings
6. CVE details include links to security advisories

Vulnerabilities are classified by severity:

• Critical - Immediate action required
• High - Should be fixed soon
• Medium - Fix when possible
• Low - Minimal risk
• Negligible - Informational

Each vulnerability shows: CVE ID, CVSS score, affected package, and fix version if available.

Zenithal also flags base image layer warnings when a vulnerability is in a compiled binary rather than a system package — these cannot be fixed by updating packages and require rebuilding the base image.

Zenithal goes beyond detection — you can fix vulnerabilities directly from the scan results:

• Container remediation — Run fix commands directly in a running container. Zenithal auto-detects the container's OS and generates the correct package manager command (apt, apk, yum, dnf, etc.), including cross-distro package name translation (e.g., Debian xz-utils → Alpine xz).
• Dockerfile export — Export a Dockerfile patch that fixes a single CVE or all vulnerabilities at once. Copy the generated RUN commands into your Dockerfile to make fixes permanent.

• Scan images before deploying to production
• Use minimal base images (Alpine, distroless)
• Keep base images updated
• Review and address Critical/High vulnerabilities
• Use Dockerfile export to make container fixes permanent in your build pipeline
• Watch for base image layer warnings — these require rebuilding from a patched base image