You can run the scan for a container image in the Carbon Black Cloud console or in a terminal using the CLI Client. The following procedure performs an image scan in the Carbon Black Cloud console.

If a container image is built, pushed to a public repository, and deployed to a Kubernetes cluster between two scans, it will be displayed in the list with a Pending status. If the image scan has a status Error, you can run the scan for that image in the Carbon Black Cloud console or in a terminal, using the CLI Client.

Note: You can run the manual scan for images in public repositories only. If the image belongs to a private repository, the Rescan button is inactive.


Download and configure CLI Client. See Setting up CLI Client for Image Scanning. To use the CLI Client in a terminal, see Container Security API and Integrations (external link).


  1. On the left navigation pane, do one of the following depending on your system configuration and role:
    • If you have the Kubernetes Security DevOps or SecOps role and your system has only the Container security feature, click Inventory > Container Images.
    • If you have any other role and your system has Container security and other Carbon Black Cloud features, click Inventory > Kubernetes > Container Images.
  2. Click the Deployed Images tab.
  3. If they are contracted, expand the filter options by clicking the carets >> in the top left. For the Scan Status filter, select Error.
    The table displays only images that have an Error status.
  4. Either use the search field to find a particular image or choose a container image from the list. Click the arrow Arrow (>) icon icon at the right of the selected image.
  5. Click Rescan in the Image Details panel.
    Image Details pane