Most SCA tools will work to scan for vulnerabilities, but ActiveState recommends the following:
SCA tools are great for finding all vulnerabilities on your runtimes or container images, but false positives that do not apply to your runtime may provide distracting information. Using a Vulnerability Exchange Format (VEX) file in combination with a supported SCA tool will help prevent any false positives in your reporting. VEX files contain a list of identified vulnerabilities which have been assessed as not applicable for the specific image they were generated for.
SCA tools that allow for VEX file integration include Trivy, Grype, and DockerScout. To improve your SCA reports with VEX files, do the following:
To include a VEX file in your scan, be srue to use the --vex oci flag.
trivy image --vex oci <IMAGE_NAME_HERE>
You can scan your image with DockerScout using the Docker CLI, the Docker desktop app, and the Web UI. To scan your image with the CLI, run the following command.
docker scout cves <containerName:latest>
If you still have vulnerabilities remaining, reach out to support@activestate.com to get an updated container image.