Container image scanning for software decomposition

Release version: Australia

Updated March 12, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Container image scanning for software decomposition

ServiceNow ITOM Visibility apps—including Discovery and Service Mapping Patterns and the Kubernetes Visibility Agent—integrate with Aqua Trivy to scan container images and OS packages. This scanning enhances control over container deployments by providing detailed visibility into container components.

Show full answer Show less

Container image scanning is essential for identifying installed software within Kubernetes or Docker containers, supporting regulatory compliance, enforcing company policies such as golden image use and software currency, managing licensed software, and understanding service context through tags and service mesh.

Key Features

Integration with Aqua Trivy: Enables scanning of container images to detect OS packages, software dependencies, and vulnerabilities.
Discovery and Service Mapping Patterns: Suitable for self-hosted or cloud Kubernetes deployments and non-Kubernetes Docker containers. Supports scanning with or without cloud credentials, and discovers Kubernetes clusters, namespaces, services, Docker containers, and associated metadata.
Kubernetes Visibility Agent: Designed for cloud-native application teams, this agent supports near real-time discovery and scanning, particularly for AWS ECR repositories. It does not require credential setup or MID Server and uses ServiceAccount/ClusterRole access.
Software Bill of Materials (SBOM) Generation: Both patterns and agent methods can generate SBOMs to provide detailed lists of container image dependencies, aiding compliance verification.
Support for Multiple Use Cases: Enables security professionals to scan base and final container images for vulnerabilities, compliance officers to generate SBOMs, and engineers to identify Kubernetes pods or Docker containers running specific images—without necessarily requiring Aqua Trivy scanning for pod/container identification.

Practical Implementation Details

Container image scanning jobs run at a controlled rate (up to 10 images per minute) using scheduled patterns.
Scan results populate CMDB tables and temporary transformation tables, capturing data such as the origin registry, software names, versions, and application records linked to container images.
Software package information is linked to images rather than containers to avoid inaccurate associations with ephemeral containers.
For private container registries or specific network setups, MID Servers can be mapped to container image repositories, and proxy bypasses can be configured to ensure scanning connectivity.
SBOM generation can be enabled and configured to prevent duplicate files, providing customers with downloadable SBOMs for transparency into container contents.

What Customers Can Expect

Improved visibility into container components and their software, enhancing security, compliance, and operational governance.
Flexible scanning options tailored to different container environments—Kubernetes or Docker, cloud or on-premises.
Automated discovery and mapping of container images, OS packages, and their relationships within the CMDB, enabling better asset management.
Tools to generate and download SBOMs, supporting regulatory audits and software supply chain transparency.
Integration with ServiceNow’s ITOM Visibility framework, supporting ongoing container lifecycle management and operational insights.

The ITOM Visibility apps, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent integrate with Aqua Trivy to collect data on container images and OS packages. You can increase your control over container deployment by having visibility to the container components.

Container image scanning for software decomposition diagram

Benefits of image scanning

Scanning your containers gives you visibility into what's inside Kubernetes or Docker containers or OS packages. Scanning images can assist you in multiple ways.

It helps you identify software installed in containers for regulatory and compliance use cases.
It helps you adhere to company policies like usage of golden images, outdated software, mandatory labels, or configuration policies.
It also helps you manage licensed software running in containers.
You can also get the service context by using tags, and service mesh to understand their impact on your organization.

Image scanning use cases with ITOM Visibility

You can use two ITOM Visibility apps to scan container images, Discovery and Service Mapping Patterns and Kubernetes Visibility Agent. Patterns is a feature set used by Discovery, Cloud Discovery, and Service Mapping. Kubernetes Visibility Agent is a feature of Agent Client Collector. While Kubernetes Visibility Agent (formerly known as CNO-V) is more suitable for Kubernetes and dynamic containerized workloads, pattern-based discovery is more suitable for non-Kubernetes Docker containers.

Use case # 1: Once an application has been packaged up in container images, a security professional can scan the base image, as well as the final image, for vulnerabilities, and identify OS packages, software dependencies, and application records. This is specifically for Containerized MSSQL Server.

Table 1. Visibility methods for use case # 1
Visibility methods	Method characteristics	What's discovered
Discovery and Service Mapping Patterns and Aqua Trivy: Best suited for self hosted or cloud Kubernetes deployments with access to bearer tokens and credentials. Supports public and self-hosted repository image scanning.	Pattern-based discovery without Cloud discovery: Uses a bearer token. Manually created Kubernetes discovery schedule per cluster. Pattern-based discovery with Cloud discovery: No bearer token required. Uses cloud credentials. Automatic creation of Kubernetes discovery schedule. For more information on scanning images using Aqua Trivy, see Scan container images.	Discovered using Discovery and Service Mapping Patterns: Kubernetes clusters Kubernetes Services Kubernetes topology Docker containers and images Kubernetes deployment including OpenShift Namespace Labels and tags Software in containers Account region details can only be discovered by Cloud Discovery Docker Pattern collects data about specific objects in a Docker engine, running on a Linux host For more information, see: Container image discovery Kubernetes discovery using patterns Docker virtualization
Kubernetes Visibility Agent and Aqua Trivy: Best suited for deployment by cloud native app teams. Optional ability to monitor Kubernetes with AIOps. For cloud environments, only AWS ECR (Public and Private) is supported.	Kubernetes Visibility Agent -based discovery doesn't require credential set up, and no need for MID Server. Access is through ServiceAccount/ClusterRole. The installation is via Helm Chart or Kubernetes YAML file. The discovery is run near real-time. Use Kubernetes Explorer to download SBOM.	Discovered using Kubernetes Visibility Agent Kubernetes Namespaces Nodes and Pods Deployments Statefulsets Daemonsets Replicasets Jobs Cronjobs Services Docker container Docker image Container repository Account region details can only be discovered by Cloud Discovery

Use case #2: A compliance officer can generate an  SBOM  to obtain a detailed list of the dependencies of the container image and to ensure that the software complies with industry regulations.

Table 2. Visibility methods for use case #2
Visibility method	Method characteristics
Kubernetes pattern or Docker pattern	SBOM creation is part of the container scanning.
Kubernetes Visibility Agent	SBOM creation is also a part of the container scanning, but using ACC is best suited for organizations that need flexibility to perform both full and continues discovery.

Use case #3: An engineer found a defect in a custom-built image and needs to find all Kubernetes pods that are running using that image.

Table 3. Visibility methods for use case #3
Visibility method	Method characteristics	What's discovered
Kubernetes pattern	Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns.	Kubernetes Clusters Kubernetes Containers Kubernetes Services Labels Pods Images Tags
Kubernetes pattern with Cloud discovery	Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns.	All the of the above and account or region details

Use case #4: An engineer finds a defect in a custom-built image and needs to find all Docker containers (non Kubernetes) that are running using that image.


Visibility method	Method characteristics	What's discovered
Horizontal Discovery of VM running Docker (Docker pattern)	Aqua Trivy container scanning isn’t required. You can identify the pods using Patterns.	See: Docker virtualization

Image scanning with Discovery and Service Mapping Patterns

Kubernetes and Docker patterns integrate with the Aqua Trivy tool and run scheduled jobs to discover container images and OS packages at fixed intervals of 10 images per minute. During the scan, the pattern indicates the scanning status. The pattern discovers OS packages that are related to an image. Then, it finds the image command attributes like the CI class. Based on the command attributes the pattern creates application records. In addition, the pattern uses enriched scripts to add details to the application records. After that, the pattern maps the relations between the OS packages and the containers.

Part of the data is populated in CMDB tables and part of it in transformation tables (non-CMDB temporary tables). The transformation tables are installed with the pattern. For example, the information you get by scanning includes origin registry, software name, and version.