[Yandex Cloud documentation](../../index.md) > [Yandex Container Registry](../index.md) > [Concepts](index.md) > Vulnerability scanner

# Vulnerability scanner


Vulnerability scanner is a service that enables you to:
* Statically analyze a [Docker image](docker-image.md) for vulnerabilities in components, libraries, and dependencies used in the Docker image.
* Compare Docker image contents with the [CVE](https://cve.mitre.org/) vulnerability databases.

Vulnerability scanner only works with Docker images from Container Registry. Users can only scan Docker images they have [permissions](../security/index.md) to.

For scanning, a Docker image is unpacked, and a search is performed for installed package versions (deb). The package versions identified are then checked against a database of known vulnerabilities.

Currently, Docker images are available and built for the following supported operating systems:

**Operating system**        | **Supported versions**
--------------------------- | -------------------------
AlmaLinux                   | 8, 9, 10
Alpine Linux                | 2.2–2.7, 3.0–3.22, edge
Amazon Linux                | 1, 2, 2023
Azure Linux (CBL-Mariner)   | 1.0, 2.0, 3.0
Bottlerocket                | 1.7.0 and higher
CentOS                      | 6, 7, 8
Chainguard                  | -
CoreOS                      | All versions (SBOM only)
Debian GNU, Linux           | 7, 8, 9, 10, 11, 12
Echo                        | -
MinimOS                     | -
openSUSE Leap               | 15, 42
openSUSE Tumbleweed         | -
Oracle Linux                | 5, 6, 7, 8
Photon OS                   | 1.0, 2.0, 3.0, 4.0, 5.0
Red Hat Enterprise Linux    | 6, 7, 8, 9, 10 (10 is for SBOM only)
Rocky Linux                 | 8, 9
SUSE Linux Enterprise       | 11, 12, 15
SUSE Linux Enterprise Micro | 5, 6
Ubuntu                      | All versions supported by [Canonical](https://canonical.com/)
Wolfi Linux                 | -
OS with Conda installed     | -

{% note info %}

Scanning Docker images for vulnerabilities is [charged](../pricing.md#scanner).

{% endnote %}

## Language package scanning {#language-packs}

{% note info %}

Language package scanning is available upon request. Contact [support](https://center.yandex.cloud/support) or your account manager.

{% endnote %}

The vulnerability scanner automatically detects the following language package files and analyzes the Docker image dependencies:

Supported programming language | Attachments
----- | -----
Ruby | gemspec
Python | egg package </br> wheel package
PHP | composer.lock
Node.js | package.json
.NET | packages.lock.json </br> packages.config </br> .deps.json
Java | JAR/WAR/PAR/EAR ^1^
Go | Binary files ^2^
Rust | Cargo.lock </br> Binary files created using cargo-auditable
Dart | pubspec.lock

^1^ `.jar`, `.war`, `.par`, `.ear`.
^2^ Binary files compressed using [UPX](https://upx.github.io/) do not work.

## Types of scanning {#types}

You can scan Docker images pushed to a registry for vulnerabilities:
* [Manually](../operations/scanning-docker-image.md#manual): A scan is run by the user.
* [On push](../operations/scanning-docker-image.md#automatically): Docker images are scanned automatically on push.
* [On schedule](../operations/scanning-docker-image.md#scheduled): Docker images are scanned automatically according to a user-defined schedule.


## Storing scan results {#scan-result}

For each Docker image, the system stores three most recent successful scans completed within the last 30 days. If a Docker image goes unscanned for 30 days, only the last scan is kept.


## Use cases {#examples}

* [Scanning vulnerabilities during continuous deployment of Managed Service for Kubernetes applications using GitLab](../tutorials/cr-scanner-with-k8s-and-gitlab.md)
* [Storing Docker images created in Yandex Managed Service for GitLab projects](../tutorials/image-storage.md)