Learn how to scan Docker images for vulnerabilities using Trivy, Clair, and other tools. Implement security scanning in your CI/CD pipeline.
Container Security Scanning: Protecting Your Docker Images
Container security is critical. This guide shows you how to scan Docker images for vulnerabilities and integrate scanning into your pipeline.
- Find known vulnerabilities
- Detect misconfigurations
- Ensure compliance
- Prevent security breaches
Trivy is a comprehensive security scanner:
# Install Trivy
brew install trivy
# Scan image
trivy image nginx:latest
# Scan with JSON output
trivy image -f json -o report.json nginx:latest
# Scan for specific severity
trivy image --severity HIGH,CRITICAL nginx:latest
# GitHub Actions
name: Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build image
run: docker build -t myapp .
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp
format: 'sarif'
output: 'trivy-results.sarif'
# Use specific versions
FROM node:18-alpine
# Run as non-root user
RUN addgroup -g 1000 appuser && \
adduser -D -u 1000 -G appuser appuser
USER appuser
# Minimize layers
RUN apt-get update && apt-get install -y package && \
rm -rf /var/lib/apt/lists/*
# Scan during build
# docker build --security-opt seccomp=unconfined .
# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Production stage
FROM node:18-alpine
RUN addgroup -g 1000 appuser && \
adduser -D -u 1000 -G appuser appuser
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER appuser
CMD ["node", "dist/index.js"]
import subprocess
import json
def scan_image(image_name):
result = subprocess.run(
["trivy", "image", "-f", "json", image_name],
capture_output=True,
text=True
)
report = json.loads(result.stdout)
# Check for critical vulnerabilities
critical_vulns = [
v for v in report.get("Results", [{}])[0].get("Vulnerabilities", [])
if v.get("Severity") == "CRITICAL"
]
if critical_vulns:
raise Exception(f"Found {len(critical_vulns)} critical vulnerabilities")
return report
- Scan in CI/CD pipeline
- Use specific base images
- Keep images updated
- Run as non-root user
- Minimize attack surface
Container security scanning should be part of every deployment pipeline. Start with Trivy and gradually add more sophisticated scanning tools.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
