CT-Ops
Docker Container Settings
Global CT-Ops settings for Docker container metric retention and Docker image scanning.
Docker container settings control two instance-wide behaviours used by host container pages:
- how long Docker container metric samples are stored
- whether Docker image vulnerability scanning runs, how often it runs, and which scanner mode CT-Ops uses
Open Docker metric retention from Settings -> Monitoring -> Metric
retention at /settings/monitoring/retention. Open Docker image scanning
from Settings -> Host Intelligence at /settings/host-intelligence.
Access and scope
Only instance administrators can change these settings. Operators with host access can see container inventory, metrics, image risk, and host-level overrides where their role allows it, but they cannot change instance-wide defaults.
The settings apply to the current CT-Ops instance. Host-level Docker retention and image-scanning overrides can change the effective behaviour for one host, but the global settings remain the inherited defaults.
Docker metric retention
The Docker metric retention period field controls how long raw
docker_container_metrics samples are kept before the ingest retention sweeper
purges them.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Docker metric retention period | 30 days | Integer from 1 to 365 days. The UI offers common options: 7, 14, 30, 60, 90, 180, and 365 days. | Sets the global retention period inherited by hosts that do not have a Docker retention override. |
| Save | Disabled until the selected value differs from the stored value | Server-side administrator access and range validation | Persists the selected retention period. The button changes to Saving… while the request is in flight. |
| Saved | Hidden | Appears after a successful save | Confirms CT-Ops stored the setting. |
This setting affects the Container Metrics panel on Host Containers. If retention is shorter than the chart range an operator selects, older chart buckets will be empty even when the container previously had samples.
Docker runtime status, current container inventory, image scan findings, and lifecycle rows are not purged by this retention setting. It applies to raw container metrics used for CPU, memory, network I/O, block I/O, PIDs, and table CPU sparklines.
Use a longer period for high-value hosts where post-incident container evidence matters. Use a shorter period for dense Docker hosts when metric volume is more important than long history. Set a per-host override from the host Management page when one host needs a different retention period from the instance default.
Docker image scanning
The Docker image scanning settings control scheduled image vulnerability scans and the host-level Run image scan action. The agent reports image scan evidence that appears as Exploit risk on the Host Containers page and as Docker image findings in host vulnerability views.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Docker image scanning | Enabled | Boolean switch | Master switch for scheduled Docker image vulnerability scanning. When disabled globally, host-level effective scanning is disabled and the Host Containers Run image scan button is disabled. |
| Scanner mode | Syft on host, Grype in CT-Ops | server_grype or host_local | Chooses where vulnerability matching runs. Syft on host, Grype in CT-Ops has hosts upload SBOM input and CT-Ops process central Grype jobs. Syft and Grype on host has hosts run both tools locally and upload normalized findings. |
| Scan interval | Daily (24 hours) | Integer from 1 to 168 hours. The UI offers every 6, 12, 24, 72, or 168 hours. | Controls the scheduled scan cadence. The host Management page displays this inherited cadence. |
| Max images per cycle | 3 | Integer from 1 to 50 | Limits how many images a host should scan in one scheduled cycle. Raise it for hosts with many important images; lower it to reduce scan pressure. |
| Timeout seconds | 600 | Integer from 30 to 3600 seconds | Maximum time allowed for an image scan task before it should stop waiting. |
| CT-Ops Grype workers | 2 | Integer from 1 to 32; disabled in the UI unless scanner mode is server_grype | Controls the central Grype worker count used when CT-Ops performs server-side Grype analysis. |
| Stale alert threshold hours | 72 | Integer from 1 to 720 hours | Threshold used by Docker image scan stale alert conditions. Use it to decide when old scan evidence should generate operator attention. |
| Save Docker image scanning | Always available to admins | Server-side administrator access and field validation | Persists the complete Docker image scanning settings object. The button changes to Saving… while the request is in flight. |
| Saved | Hidden | Appears after a successful save | Confirms CT-Ops stored the image scanning settings. |
When server-side Grype mode is selected, the settings page explains that hosts run Syft and CT-Ops queues central Grype jobs against uploaded SBOM input using the configured worker count. When host-local mode is selected, the settings page explains that hosts run both Syft and Grype locally and upload normalized findings.
Host-level effects
These global settings are inherited by each host:
| Host area | Effect |
|---|---|
| Host Containers -> Run image scan | Enabled only when global Docker image scanning is on and the host has not disabled image scanning. The action records an immediate scan request timestamp for the host. |
| Host Containers -> Exploit risk | Risk badges depend on the latest image scan runs and open findings collected under these settings. |
| Host Containers -> Container Metrics | Available chart history depends on the effective Docker metric retention period for the host. |
| Host Management -> Docker Retention | Shows inherited global retention, optional host override, and the effective retention period. |
| Host Management -> Docker Image Scanning | Shows global enabled state, scanner mode, inherited cadence, max images per cycle, timeout, last immediate scan request, host disable override, and effective scanning state. |
| Host Inventory -> Vulnerabilities | Docker image findings appear alongside host package findings when image scans report open findings. |
Use the global settings for the normal fleet policy. Use host overrides for exceptions: a dense container host that needs shorter retention, a critical host that needs longer evidence, or a host where image scanning must be paused.
Operator guidance
Start with the defaults unless you have clear operational pressure. A daily scan cadence, three images per cycle, a 10-minute timeout, and 30 days of Docker metrics are conservative defaults for many small and medium deployments.
Increase scan frequency when images change frequently or when vulnerability evidence must be refreshed quickly after patching. Increase max images per cycle when important hosts run many images and scans are falling behind. Increase server Grype workers only when CT-Ops has enough CPU and memory to process more central scans concurrently.
Lower retention or scan limits when database growth, host load, or scan runtime becomes the operational bottleneck. Prefer a per-host override when only one host is unusual.