Analyze Docker Image (Command Line)

In this tutorial, you will learn by example how to use to analyze a test Docker image by following the steps below and, along the way, learn some of the basic commands.


This tutorial assumes you have a recent version of installed locally on your machine and running with Docker. If you do not have it installed, see our Installation guide for instructions.


To successfully complete this tutorial, you first need to:

  • Install locally

  • Have Shell access on the machine where is installed


  • Create a new directory in your home directory that will be used to put the input code to be scanned.

$ mkdir -p ~/codedrop/
$ curl --output ~/codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
  • Create an alias to the scanpipe command executed through the docker compose command line interface with:

$ alias scanpipe="docker compose -f ${PWD}/docker-compose.yml run --volume ~/codedrop/:/codedrop:ro web scanpipe"
  • Create a new project named staticbox:

$ scanpipe create-project staticbox
>> Project staticbox created with work directory /var/scancodeio/workspace/projects/staticbox-d4ed9405


New projects work directory are created inside the location defined in SCANCODEIO_WORKSPACE_LOCATION setting. Default to the /var/scancodeio/workspace/ directory.

  • Add the test Docker image tarball to the project workspace’s input/ directory:

$ scanpipe add-input --project staticbox \
    --input-file /codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
>> File copied to the project inputs directory:
   - 30-alpine-nickolashkraus-staticbox-latest.tar


The command output will let you know that the Docker image file was copied to the project’s input/ directory. Alternatively, you can copy files manually to the input/ directory to include entire directories.

  • Add the analyze_docker_image pipeline to your project:

$ scanpipe add-pipeline --project staticbox analyze_docker_image
>> Pipeline analyze_docker_image added to the project
  • Check the status of the pipeline added to your project:

$ scanpipe show-pipeline --project staticbox
>> [NOT_STARTED] analyze_docker_image


The scanpipe show-pipeline command lists all the pipelines added to the project and their execution status. You can use this to get a quick overview of the pipelines that have been already running, pipelines with “SUCCESS” or “FAILURE” status, and those will be running next, pipelines with “NOT_STARTED” status as shown below.

  • Run the analyze_docker_image pipeline on this project. In the output, you will be shown the pipeline’s execution progress:

$ scanpipe execute --project staticbox
>> Pipeline analyze_docker_image run in progress...
   Pipeline [analyze_docker_image] starting
   Step [extract_images] starting
   Step [extract_images] completed in 0.18 seconds
   Step [extract_layers] starting
   Pipeline completed
   analyze_docker_image successfully executed on project staticbox
  • Executing the show-pipeline command again will also confirm the success of the pipeline execution - “[SUCCESS] analyze_docker_image” status:

$ scanpipe show-pipeline --project staticbox
>> [SUCCESS] analyze_docker_image
  • Get the results of the pipeline execution as a JSON file using the output command:

$ scanpipe output --project staticbox --format json --print > staticbox_results.json
  • Finally, open the staticbox_results.json file in your preferred text editor/file viewer.


To understand the output of the pipeline execution, see our Output Files section for details.


The inputs and pipelines can be provided directly at once when calling the create-project command. The --execute option is also available to start the pipeline execution right after the project creation. For example, the following command will create a project named staticbox2, download the test Docker image to the project’s input/ directory, add the analyze_docker_image pipeline, and execute the pipeline in one operation:

$ scanpipe create-project staticbox2 \
    --input-url \
    --pipeline analyze_docker_image \