Vulnerability Scanning
dockmesh bundles Grype for CVE scanning. Every image deployed through dockmesh can be scanned for known vulnerabilities without any external service.
Enabling
Section titled “Enabling”The installer’s first-boot Setup Wizard offers Grype as a toggle; you can also flip it later under Settings → Configuration (look for the Vulnerability scanner row). The relevant env var is DOCKMESH_SCANNER_ENABLED (defaults to true); the binary path comes from DOCKMESH_SCANNER_BINARY (defaults to grype).
dockmesh shells out to the Grype CLI per scan, so Grype maintains its own vulnerability database — the first scan after installing Grype downloads ~200 MB, subsequent scans pick up the daily delta on Grype’s own schedule. There’s no dockmesh-side toggle for “scan daily vs weekly”; Grype’s db.update-url and built-in age check govern that. For air-gapped installs, use grype db import from a copy moved across the boundary.
Scan scope
Section titled “Scan scope”There is currently one scan trigger: on demand, from the Images page (or POST /api/v1/images/{id}/scan via REST). Automatic on-pull scans and scheduled rescans are not shipped yet — the engine is the same Grype CLI, and adding either trigger is a small slice that hasn’t landed. For “rescan everything”, the Resources → Images page has a Scan all action that loops over the current image list.
Report format
Section titled “Report format”Each finding shows:
| Field | Example |
|---|---|
| CVE ID | CVE-2024-12345 |
| Severity | Critical / High / Medium / Low / Unknown |
| Package | openssl 3.0.8-r0 |
| Fixed in | 3.0.9-r0 (or “not yet”) |
| Reference | Link to NVD / GitHub Advisory / vendor bulletin |
Aggregate counts (per severity) are surfaced as a column on the Resources → Images view next to each image; the dashboard does not roll those up into a fleet-wide CVE tile yet.
Acting on findings
Section titled “Acting on findings”Today the supported workflow is one pattern: update the image, re-pull with a newer tag, redeploy. The stack’s Update tab on a container detail page shows when a newer image digest is available.
A formal suppress / accept workflow (mark a CVE as not-exploitable, exclude it from dashboards) is not implemented yet — no security.suppress_cve permission ships, and there is no per-finding suppression store. Until then, judging “acceptable risk” lives outside dockmesh (your runbook / Jira ticket / Vanta record).
Alerts
Section titled “Alerts”There are no CVE-specific alert rules built in. The four shipped rules cover container CPU and memory only; CVE-based alerting (e.g. “new critical CVE found in any deployed image”) would need a metric collector that the alerts engine doesn’t have yet. Tracked as a follow-up — for the meantime, poll the scan results endpoint from your own job runner and emit notifications via the generic webhook channel.
Limitations
Section titled “Limitations”Grype matches packages against the NVD and other public databases. It can miss:
- Zero-days not yet in any database
- Language-specific package managers embedded in images (partial coverage for pip/npm/gem via package metadata)
- Custom-built software without package metadata
- Runtime vulnerabilities (e.g. misconfigurations) — use a separate runtime scanner for that
Grype is a good baseline, not a full application security program.
Database updates
Section titled “Database updates”dockmesh doesn’t manage the Grype database directly — Grype handles its own download + cache (typically under ~/.cache/grype/db/ for the service user). Grype’s own staleness check decides when to refresh on its own; refresh cadence is set on the Grype side, not in dockmesh.
For air-gapped installs, fetch the DB on a machine with internet and bring it across the boundary:
# On the internet-connected machinegrype db download# the archive lands in $XDG_CACHE_HOME/grype/db/ — copy that tree to the# air-gapped host's equivalent path under the dockmesh service userThere is no in-UI “Import DB” upload flow yet; until that ships, file-level placement is the only way to update Grype’s DB offline.
Export
Section titled “Export”The Image-detail view shows the full per-image scan report. A built-in CSV / JSON export of the cross-fleet scan results isn’t shipped yet — for compliance pipelines, hit GET /api/v1/images/{id}/scan per image with an images.scan RBAC token and serialise the JSON yourself.