Container Security Scanning
Scan container images for known vulnerabilities, misconfigurations, and embedded secrets before deployment.
Description
Container security scanning analyzes Docker images for known vulnerabilities (CVEs) in OS packages and application dependencies, misconfigurations in Dockerfiles, embedded secrets (API keys, passwords), and compliance violations. This is a critical gate in the CI/CD pipeline that prevents deploying images with known security issues to production.
Scanning tools like Trivy, Grype, Snyk Container, and AWS ECR native scanning compare packages in the image against vulnerability databases (NVD, OS vendor advisories, GitHub Security Advisories). Scans should be performed at multiple points: during CI/CD (blocking builds with critical/high vulnerabilities), in the container registry (continuous scanning as new CVEs are disclosed), and at admission time in Kubernetes (using admission controllers like Kyverno or OPA Gatekeeper to block unscanned or vulnerable images).
Effective container security goes beyond vulnerability scanning: use minimal base images to reduce attack surface, run as non-root, set the filesystem to read-only where possible, drop unnecessary Linux capabilities, enable seccomp and AppArmor profiles, and sign images with cosign for supply chain integrity. Vulnerability findings should be prioritized based on CVSS score, exploitability, and whether the vulnerable package is actually reachable in the running application. A practical approach is to fail builds only on critical/high severity with a known fix available, while tracking medium/low findings for scheduled remediation.
Prompt Snippet
Integrate Trivy container scanning into the CI/CD pipeline as a required job after Docker image build. Run trivy image --severity CRITICAL,HIGH --exit-code 1 --ignore-unfixed to fail the build on critical/high CVEs that have available fixes. Generate SARIF output (--format sarif) and upload to GitHub Security tab via github/codeql-action/upload-sarif. Additionally run trivy config to scan the Dockerfile for misconfigurations and trivy fs to scan the application source for embedded secrets. Enable ECR Enhanced Scanning for continuous vulnerability monitoring of pushed images. Implement a weekly scheduled workflow that re-scans the latest production image and opens a GitHub Issue if new vulnerabilities are found.
Tags
Related Terms
Docker Containerization
Package applications and their dependencies into isolated, portable containers using Docker.
Dockerfile Best Practices
Write efficient, secure, and maintainable Dockerfiles that produce minimal, production-ready images.
Multi-Stage Docker Builds
Use multiple FROM instructions in a Dockerfile to separate build dependencies from the final production image.
CI/CD Pipeline Design
Automate building, testing, and deploying code through a structured pipeline triggered by version control events.
Secrets in CI/CD
Securely store, access, and rotate sensitive credentials used in CI/CD pipelines without exposing them in code or logs.