Practice : Container Security Scanning

Purpose and Strategic Importance

Container Security Scanning identifies vulnerabilities, misconfigurations, and malware in container images before they are deployed. It ensures that containerised workloads meet security baselines and helps prevent known issues from propagating into production environments.

This practice is vital for securing cloud-native applications, supporting compliance, and enabling fast, secure delivery in CI/CD workflows.

Description of the Practice

  • Container scanners analyse Docker images for known CVEs, insecure packages, hardcoded secrets, and configuration issues.
  • Scans occur during CI/CD, image builds, or registry pushes, and may integrate with orchestration platforms (e.g. Kubernetes, OpenShift).
  • Tools include Trivy, Clair, Anchore, Snyk, Aqua Security, Prisma Cloud, and native scanners in GitHub and GitLab.

How to Practise It (Playbook)

1. Getting Started

  • Choose a container scanning tool that integrates with your build system or image registry.
  • Scan base images, application layers, and dependencies during every build.
  • Fail builds or raise alerts for critical/high-severity vulnerabilities.
  • Document and track exceptions with clear business justification and remediation plans.

2. Scaling and Maturing

  • Automate scanning in pipelines and enforce policies based on severity, fixability, or age.
  • Use allowlists or baseline-approved images to reduce false positives and noise.
  • Regularly re-scan stored images to catch newly disclosed vulnerabilities.
  • Integrate scanning results with dashboards, SIEMs, or ticketing systems for visibility and ownership.
  • Apply namespace or team-level ownership for container security accountability.

3. Team Behaviours to Encourage

  • Treat image hygiene as part of software quality - not a separate function.
  • Stay current with base images and use minimal, secure images (e.g. Alpine, distroless).
  • Embed scanning results into peer review and delivery rituals.
  • Celebrate zero-vulnerability builds and fast fix turnarounds.

4. Watch Out For…

  • Incomplete scanning - e.g. registry scans without build context or pipeline coverage.
  • Alert fatigue from low-quality or outdated scan data.
  • Lack of ownership for fixing image vulnerabilities.
  • Using unverified or unofficial images from public registries.

5. Signals of Success

  • Vulnerabilities are caught and resolved before images reach production.
  • Teams monitor and maintain image hygiene proactively.
  • No critical CVEs are present in deployed workloads.
  • Secure base images are reused and standardised across teams.
  • Scanning becomes a natural part of build and release processes.