What is container security scanning?
Answer
Container security scanning analyzes Docker images for known vulnerabilities in OS packages and application dependencies (CVEs — Common Vulnerabilities and Exposures). Scanning should be part of the CI/CD pipeline — don't deploy images with critical vulnerabilities. Tools: (1) Docker Scout (built into Docker Desktop/Hub): docker scout cves myimage:1.0; (2) Trivy (Aqua Security, free, popular): trivy image myimage:1.0 — scans OS packages, npm, pip, Maven dependencies; (3) Snyk: snyk container test myimage:1.0; (4) Grype: grype myimage:1.0 — fast, open-source; (5) Amazon Inspector: continuous scanning of ECR images; (6) Clair: open-source for self-hosted registries; (7) Harbor: registry with built-in Trivy scanning. Best practices: (1) Base your images on minimal, regularly updated base images (e.g., node:20-alpine with scheduled rebuilds); (2) Pin dependency versions; (3) Scan in CI before pushing to registry; (4) Set a vulnerability threshold (block on CRITICAL, warn on HIGH); (5) Regularly rebuild and re-scan existing images; (6) Separate build-time tools from runtime (multi-stage) — fewer packages = fewer vulnerabilities; (7) Run as non-root (USER instruction).