Vulnerability Scanning
Generate SBOMs and detect vulnerabilities on a schedule. Every scan is archived to S3 so you have a timestamped record of what was running and what was vulnerable.
Schedule with the Agent
Add annotations to your pods or namespaces. The agent runs the scan on each matching container and uploads the results to S3.
# Pod annotation
reel.io/schedule: |
@every 1h | export sbom --scanners vuln
# S3 destination
reel.io/s3-bucket: "compliance-evidence"
reel.io/s3-region: "us-east-1"
One-Shot with the CLI
Run the same scan from your terminal or CI pipeline — no agent required.
# Scan an image
reel export sbom nginx:latest --scanners vuln
# Scan a running container
reel export sbom --container my-nginx --scanners vuln
# Critical only
reel export sbom nginx:latest --scanners vuln --severity CRITICAL
What Gets Captured
| Artifact | Format | Contents |
|---|---|---|
| SBOM | CycloneDX JSON | OS packages, language dependencies, versions |
| Vulnerabilities | Embedded in SBOM | CVE IDs, severity, fixed versions |
| Secrets | Embedded in SBOM | Exposed credentials and tokens |
Scanners are additive: --scanners vuln,secret includes both. Without --scanners, only the package inventory is generated.
Schedule Examples
# Package inventory only — daily at 6am
0 6 * * * | export sbom
# Vulnerabilities + secrets — daily at 6am
0 6 * * * | export sbom --scanners vuln,secret
# Critical vulnerabilities — every hour
@every 1h | export sbom --scanners vuln --severity CRITICAL
# Full scan — weekly on Monday
0 0 * * 1 | export sbom --scanners vuln,secret,license
S3 Output
Each scan is uploaded with a structured key:
{date}/sbom/{cluster}_{node}_{namespace}_{pod}_{container}_{timestamp}.json
See S3 Evidence Vault for bucket setup and credentials.