Container Scanning
Container scanning identifies vulnerabilities in container images before they’re deployed. It analyzes image layers, dependencies, and configuration files to find known security issues.
What is Container Scanning?
Container scanners:
- Analyze image layers - Check each layer for vulnerabilities
- Scan dependencies - Identify vulnerable packages
- Check configurations - Find misconfigurations
- Generate SBOMs - Create Software Bill of Materials
When to Scan
CI/CD Pipeline
Scan images during build:
flowchart LR
A[Build Image] --> B[Scan Image]
B --> C{Vulnerabilities?}
C -->|Critical| D[Block Deployment]
C -->|Low| E[Allow with Warning]
C -->|None| F[Deploy]
style D fill:#ffebee
style E fill:#fff4e1
style F fill:#e8f5e9
Image Registry
Scan images in registries:
- On push - Scan when images are uploaded
- Periodically - Rescan for new vulnerabilities
- On pull - Verify before deployment
Runtime
Monitor running containers:
- Continuous monitoring - Detect new vulnerabilities
- Runtime scanning - Check running containers
Scanning Strategies
1. Block Critical Vulnerabilities
Reject images with critical CVEs:
# Policy example
severity: CRITICAL
action: BLOCK
2. Warn on High Severity
Allow deployment but alert:
severity: HIGH
action: WARN
3. Generate SBOMs
Create Software Bill of Materials:
trivy image --format cyclonedx nginx:latest
Topics
See Also
- Supply Chain Security - Overview of supply chain security
- Sigstore - Image signing and verification