Container Image Scanning
What is Container Image Scanning?
Container Image ScanningThe practice of analyzing OCI/Docker images for known vulnerabilities, secrets, malware, and policy violations before they are deployed to a container runtime.
Container image scanning inspects every layer of an OCI image — including the base OS, language packages, embedded binaries, and metadata — to identify known CVEs, embedded credentials, malware signatures, and non-compliant configurations. Tooling falls into two families: open-source scanners (Trivy by Aqua Security, Grype by Anchore, Clair, and Docker Scout) and commercial CNAPPs (Snyk Container, Prisma Cloud, Wiz, Sysdig Secure). Scans are typically run at three points: developer workstation, CI pipeline (failing builds on policy breach), and registry admission. Modern programs also generate signed SBOMs and feed them into supply-chain attestation systems such as Sigstore and SLSA to ensure provenance and reproducibility.
● Examples
- 01
Failing a GitHub Actions job when a base image contains a CVSS 9.8 vulnerability in openssl.
- 02
Blocking deployment of an image that includes a leaked .npmrc with an npm publish token.
● Frequently asked questions
What is Container Image Scanning?
The practice of analyzing OCI/Docker images for known vulnerabilities, secrets, malware, and policy violations before they are deployed to a container runtime. It belongs to the Defense & Operations category of cybersecurity.
What does Container Image Scanning mean?
The practice of analyzing OCI/Docker images for known vulnerabilities, secrets, malware, and policy violations before they are deployed to a container runtime.
How does Container Image Scanning work?
Container image scanning inspects every layer of an OCI image — including the base OS, language packages, embedded binaries, and metadata — to identify known CVEs, embedded credentials, malware signatures, and non-compliant configurations. Tooling falls into two families: open-source scanners (Trivy by Aqua Security, Grype by Anchore, Clair, and Docker Scout) and commercial CNAPPs (Snyk Container, Prisma Cloud, Wiz, Sysdig Secure). Scans are typically run at three points: developer workstation, CI pipeline (failing builds on policy breach), and registry admission. Modern programs also generate signed SBOMs and feed them into supply-chain attestation systems such as Sigstore and SLSA to ensure provenance and reproducibility.
How do you defend against Container Image Scanning?
Defences for Container Image Scanning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Container Image Scanning?
Common alternative names include: image scanning, container vulnerability scanning.
● Related terms
- defense-ops№ 1175
Trivy
An open-source, single-binary scanner from Aqua Security that finds CVEs, misconfigurations, secrets, SBOM data, and license issues in container images, file systems, Git repos, and Kubernetes clusters.
- vulnerabilities№ 259
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- appsec№ 1033
Shift-Left Security
The practice of moving security activities earlier in the software lifecycle so vulnerabilities are found and fixed before code reaches production.
● See also
- № 403Falco