CT-Ops

Docker Container Settings

Global CT-Ops settings for Docker container metric retention and Docker image scanning.

Docker container settings control two instance-wide behaviours used by host container pages:

  • how long Docker container metric samples are stored
  • whether Docker image vulnerability scanning runs, how often it runs, and which scanner mode CT-Ops uses

Open Docker metric retention from Settings -> Monitoring -> Metric retention at /settings/monitoring/retention. Open Docker image scanning from Settings -> Host Intelligence at /settings/host-intelligence.

Access and scope

Only instance administrators can change these settings. Operators with host access can see container inventory, metrics, image risk, and host-level overrides where their role allows it, but they cannot change instance-wide defaults.

The settings apply to the current CT-Ops instance. Host-level Docker retention and image-scanning overrides can change the effective behaviour for one host, but the global settings remain the inherited defaults.

Docker metric retention

The Docker metric retention period field controls how long raw docker_container_metrics samples are kept before the ingest retention sweeper purges them.

Field or controlDefaultValidationWhat it does
Docker metric retention period30 daysInteger from 1 to 365 days. The UI offers common options: 7, 14, 30, 60, 90, 180, and 365 days.Sets the global retention period inherited by hosts that do not have a Docker retention override.
SaveDisabled until the selected value differs from the stored valueServer-side administrator access and range validationPersists the selected retention period. The button changes to Saving… while the request is in flight.
SavedHiddenAppears after a successful saveConfirms CT-Ops stored the setting.

This setting affects the Container Metrics panel on Host Containers. If retention is shorter than the chart range an operator selects, older chart buckets will be empty even when the container previously had samples.

Docker runtime status, current container inventory, image scan findings, and lifecycle rows are not purged by this retention setting. It applies to raw container metrics used for CPU, memory, network I/O, block I/O, PIDs, and table CPU sparklines.

Use a longer period for high-value hosts where post-incident container evidence matters. Use a shorter period for dense Docker hosts when metric volume is more important than long history. Set a per-host override from the host Management page when one host needs a different retention period from the instance default.

Docker image scanning

The Docker image scanning settings control scheduled image vulnerability scans and the host-level Run image scan action. The agent reports image scan evidence that appears as Exploit risk on the Host Containers page and as Docker image findings in host vulnerability views.

Field or controlDefaultValidationWhat it does
Docker image scanningEnabledBoolean switchMaster switch for scheduled Docker image vulnerability scanning. When disabled globally, host-level effective scanning is disabled and the Host Containers Run image scan button is disabled.
Scanner modeSyft on host, Grype in CT-Opsserver_grype or host_localChooses where vulnerability matching runs. Syft on host, Grype in CT-Ops has hosts upload SBOM input and CT-Ops process central Grype jobs. Syft and Grype on host has hosts run both tools locally and upload normalized findings.
Scan intervalDaily (24 hours)Integer from 1 to 168 hours. The UI offers every 6, 12, 24, 72, or 168 hours.Controls the scheduled scan cadence. The host Management page displays this inherited cadence.
Max images per cycle3Integer from 1 to 50Limits how many images a host should scan in one scheduled cycle. Raise it for hosts with many important images; lower it to reduce scan pressure.
Timeout seconds600Integer from 30 to 3600 secondsMaximum time allowed for an image scan task before it should stop waiting.
CT-Ops Grype workers2Integer from 1 to 32; disabled in the UI unless scanner mode is server_grypeControls the central Grype worker count used when CT-Ops performs server-side Grype analysis.
Stale alert threshold hours72Integer from 1 to 720 hoursThreshold used by Docker image scan stale alert conditions. Use it to decide when old scan evidence should generate operator attention.
Save Docker image scanningAlways available to adminsServer-side administrator access and field validationPersists the complete Docker image scanning settings object. The button changes to Saving… while the request is in flight.
SavedHiddenAppears after a successful saveConfirms CT-Ops stored the image scanning settings.

When server-side Grype mode is selected, the settings page explains that hosts run Syft and CT-Ops queues central Grype jobs against uploaded SBOM input using the configured worker count. When host-local mode is selected, the settings page explains that hosts run both Syft and Grype locally and upload normalized findings.

Host-level effects

These global settings are inherited by each host:

Host areaEffect
Host Containers -> Run image scanEnabled only when global Docker image scanning is on and the host has not disabled image scanning. The action records an immediate scan request timestamp for the host.
Host Containers -> Exploit riskRisk badges depend on the latest image scan runs and open findings collected under these settings.
Host Containers -> Container MetricsAvailable chart history depends on the effective Docker metric retention period for the host.
Host Management -> Docker RetentionShows inherited global retention, optional host override, and the effective retention period.
Host Management -> Docker Image ScanningShows global enabled state, scanner mode, inherited cadence, max images per cycle, timeout, last immediate scan request, host disable override, and effective scanning state.
Host Inventory -> VulnerabilitiesDocker image findings appear alongside host package findings when image scans report open findings.

Use the global settings for the normal fleet policy. Use host overrides for exceptions: a dense container host that needs shorter retention, a critical host that needs longer evidence, or a host where image scanning must be paused.

Operator guidance

Start with the defaults unless you have clear operational pressure. A daily scan cadence, three images per cycle, a 10-minute timeout, and 30 days of Docker metrics are conservative defaults for many small and medium deployments.

Increase scan frequency when images change frequently or when vulnerability evidence must be refreshed quickly after patching. Increase max images per cycle when important hosts run many images and scans are falling behind. Increase server Grype workers only when CT-Ops has enough CPU and memory to process more central scans concurrently.

Lower retention or scan limits when database growth, host load, or scan runtime becomes the operational bottleneck. Prefer a per-host override when only one host is unusual.