Session 5 - Container Scanning
Container scanning and why Trivy? As a matter of fact does anyone use any other tool?
Think of containers as the Old server setup. There used to be a vulnerability scanner, which wouldnt identify all vulnerabilities and the severity level, so we could either do a scan before provisioning services or after. The same applies to containerised environment.
Lets have fun.
1. Why Container Scanning Became Essential
As containerized applications gained popularity, so did their risks. Containers bundle an application with its dependencies, but that also means they can contain vulnerable packages, misconfigurations, or embedded secrets.
Before scanning was common:
- Developers shipped images without knowing what's inside.
- Vulnerabilities were only discovered post-deployment.
- There was no visibility into base image risks or dependency issues.
Container scanning helps detect issues early, before containers hit production—making it a key practice in DevSecOps.
2. What Container Scanners Actually Do
Container scanners inspect image layers and report on:
- Known vulnerabilities (CVEs) in OS packages and app dependencies
- Misconfigurations (e.g., root user, no healthcheck, exposed ports)
- Secrets (e.g., API keys, hardcoded passwords)
- Compliance violations (PCI DSS, CIS Docker Benchmark)
Scans are often done before pushing to registries or as part of CI/CD pipelines.
3. Types of Container Scanning
| Type | What It Covers | Example Tools |
|---|---|---|
| Static Image Scanning | Analyzes image layers & package manifests | Trivy, Grype, Snyk |
| Dockerfile Analysis | Flags insecure instructions (e.g., ADD, latest tag) |
Dockle, Hadolint |
| Registry Scanning | Scans images already stored in registries | Amazon ECR, Harbor, GitLab Container Scanning |
| Runtime Scanning | Monitors running containers for threats | Falco, Aqua |
4. Popular Container Scanning Tools
| Tool | What It Does | Strengths |
|---|---|---|
| Trivy | Scans images, Dockerfiles, SBOMs | Fast, all-in-one, widely used |
| Grype | Vulnerability scanner | SBOM support, CLI-friendly |
| Dockle | Dockerfile linter | Ensures Dockerfile follows best practices |
| Anchore Engine | Deep container analysis | Policy-as-code, CI/CD friendly |
| Snyk | Vulnerability detection + fixes | Integrates with Git & DockerHub |
5. Container Scanning in CI/CD Pipelines
Scanning containers in your CI/CD ensures insecure images are blocked before release.
Typical CI/CD flow:
- Build the Docker image.
- Run vulnerability & policy scans.
- Fail the pipeline if critical issues are found.
- Upload reports (e.g., SARIF, HTML) for visibility.
Example with Trivy:
bash
CopyEdit
trivy image --format sarif -o results.sarif my-app:latest
Then convert and report in CI/CD for code quality insights.
6. Compliance Standards for Containers
Container scanning helps meet compliance by detecting violations against:
- CIS Docker Benchmark – Secure container runtime & build practices
- PCI DSS – Secure software development & vulnerability management
- ISO 27001 / SOC 2 – Secure configurations, access controls
- NIST 800-190 – Application container security guidelines
7. Best Practices for Secure Container Images
- Use minimal base images (e.g., Alpine) to reduce attack surface
- Regularly update base images to patch known CVEs
- Don’t run containers as root
- Scan before pushing to the registry
- Remove unnecessary tools & packages
- Sign images with cosign or Notary
- Store images in trusted registries
- Scan containers both at build and runtime
8. Integrate with IaC and Kubernetes
Many vulnerabilities arise from how images are deployed. So:
- Use PodSecurityPolicies / Kyverno to enforce image behavior.
- Combine with IaC scanning for full-stack coverage.
- Ensure RBAC, NetworkPolicies, and secrets are configured securely.