What is container image scanning and which tools are commonly used?
Answer
Container image scanning analyzes Docker images for known vulnerabilities in the OS packages, language runtimes, and libraries bundled inside the image. Because Docker images often include a full OS layer with dozens of packages, even official base images regularly contain CVEs (Common Vulnerabilities and Exposures). In CI/CD, image scanning runs after docker build and before pushing to the registry or deploying. Common tools include: Trivy (by Aqua Security, fast, open-source, scans images, filesystems, and git repos), Grype (by Anchore, open-source, comprehensive vulnerability database), Snyk Container (cloud service with developer-friendly reporting), and AWS Inspector (integrated with ECR). Best practice is to set a policy that blocks deployment of images with CRITICAL or HIGH severity CVEs, and to keep base images updated regularly. Use distroless or minimal base images (Alpine, Chainguard) to minimize the attack surface.
Previous
What is DAST (Dynamic Application Security Testing) and where does it fit in CD?
Next
How does Kubernetes deployment integrate with CI/CD pipelines?
More CI/CD Pipelines Questions
View all →- Intermediate What is blue-green deployment and how does it achieve zero-downtime releases?
- Intermediate What is a canary release and how does it reduce deployment risk?
- Intermediate What is a rolling deployment and how does it compare to blue-green?
- Intermediate What are feature flags and how do they integrate with CI/CD?
- Intermediate What is the testing pyramid in CI/CD and where does each test type run?