Skip to content
dockmesh

Vulnerability Scanning

dockmesh bundles Grype for CVE scanning. Every image deployed through dockmesh can be scanned for known vulnerabilities without any external service.

Enabling

Section titled “Enabling”

Settings → System → Vulnerability Scanner

Toggle on. dockmesh downloads the Grype vulnerability database on start (~200 MB, refreshed daily).

First scan on a large fleet may take 5-10 minutes as each image is analyzed. Subsequent scans are incremental.

Scan scope

Section titled “Scan scope”

Three triggers:

  • On image pull — every newly pulled image is scanned automatically
  • Scheduled — daily/weekly full rescan (catches newly disclosed CVEs against existing images)
  • On demand — click Scan on any image or stack

Report format

Section titled “Report format”

Each finding shows:

FieldExample
CVE IDCVE-2024-12345
SeverityCritical / High / Medium / Low / Unknown
Packageopenssl 3.0.8-r0
Fixed in3.0.9-r0 (or “not yet”)
Image layerWhich layer introduced the vulnerable package
ReferenceLink to NVD / GitHub Advisory / vendor bulletin

Aggregate views:

  • By host — CVE count per host
  • By stack — CVE count per stack
  • By severity — how many criticals across the fleet

Acting on findings

Section titled “Acting on findings”

Three patterns:

  1. Update the image — re-pull with a newer tag, redeploy
  2. Suppress a finding — mark as “not exploitable in this context” with a justification, doesn’t count in dashboards but stays auditable
  3. Accept the risk — same as suppress, but logged differently for compliance

All suppress/accept actions require the security.suppress_cve permission and are written to the audit log.

Alerts

Section titled “Alerts”

Built-in alert rules (configurable):

  • New critical CVE detected (notify on first discovery)
  • Stack has > N high/critical CVEs
  • Stack has a CVE with known exploit in the wild (Grype flag)

Fire to any notification channel.

Limitations

Section titled “Limitations”

Grype matches packages against the NVD and other public databases. It can miss:

  • Zero-days not yet in any database
  • Language-specific package managers embedded in images (partial coverage for pip/npm/gem via package metadata)
  • Custom-built software without package metadata
  • Runtime vulnerabilities (e.g. misconfigurations) — use a separate runtime scanner for that

Grype is a good baseline, not a full application security program.

Database updates

Section titled “Database updates”

The database updates daily by default. Override:

  • Hourly — for teams with strict compliance needs
  • Weekly — to save bandwidth (air-gapped deployments)
  • Manual only — air-gapped, import via offline DB download

Offline update:

Terminal window
# On a machine with internet
grype db download -o /tmp/grype-db.tar.gz


# Transfer to air-gapped host
# In dockmesh: Settings → Vulnerability → Import DB → upload the tar

Export

Section titled “Export”

CSV or JSON export of the full scan report for compliance, feeding into Jira, or archival. RBAC-gated.

See also

Section titled “See also”
  • Images — image management with CVE column
  • Alerts — alerting on new CVEs
  • Hardening — full security posture