What is container security scanning?
Why Interviewers Ask This
Mid-level Docker roles require deep understanding of this topic. Interviewers ask this to separate candidates who truly understand the mechanics from those who only know surface-level concepts.
Answer
Container security scanning analyzes Docker images for known vulnerabilities in OS packages and application dependencies (CVEs — Common Vulnerabilities and Exposures). Scanning should be part of the CI/CD pipeline — don't deploy images with critical vulnerabilities. Tools: (1) Docker Scout (built into Docker Desktop/Hub): docker scout cves myimage:1.0; (2) Trivy (Aqua Security, free, popular): trivy image myimage:1.0 — scans OS packages, npm, pip, Maven dependencies; (3) Snyk: snyk container test myimage:1.0; (4) Grype: grype myimage:1.0 — fast, open-source; (5) Amazon Inspector: continuous scanning of ECR images; (6) Clair: open-source for self-hosted registries; (7) Harbor: registry with built-in Trivy scanning. Best practices: (1) Base your images on minimal, regularly updated base images (e.g., node:20-alpine with scheduled rebuilds); (2) Pin dependency versions; (3) Scan in CI before pushing to registry; (4) Set a vulnerability threshold (block on CRITICAL, warn on HIGH); (5) Regularly rebuild and re-scan existing images; (6) Separate build-time tools from runtime (multi-stage) — fewer packages = fewer vulnerabilities; (7) Run as non-root (USER instruction).
Pro Tip
Back up your answer with a specific project or situation. Saying 'In my last Docker project, I used this when...' immediately makes your answer more credible and memorable.