100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Container Security Scanning Cheat Sheet

Container Security Scanning Cheat Sheet

Tools and workflows for scanning container images for vulnerabilities, misconfigurations, and secrets before deployment.

2 PagesIntermediateFeb 12, 2026

Trivy Image Scan

Scan a Docker image for OS and library vulnerabilities.

bash
# Basic scan, fail on HIGH/CRITICALtrivy image --severity HIGH,CRITICAL --exit-code 1 myapp:1.2.0# Scan a Dockerfile for misconfigurationstrivy config ./Dockerfile# Scan for exposed secrets in an imagetrivy image --scanners secret myapp:1.2.0

Grype Vulnerability Scan

Anchore's Grype scanner for images and filesystems.

bash
grype myapp:1.2.0 --fail-on high# Scan a local directory instead of an imagegrype dir:./build# Output SBOM-style JSON for CI artifactsgrype myapp:1.2.0 -o json > scan-results.json

Where to Scan in the Pipeline

Shift-left points for container security checks.

  • Pre-commit / IDE- Lint Dockerfiles (hadolint) before code is even pushed
  • CI build stage- Scan the built image and fail the pipeline on critical CVEs
  • Registry admission- Block pushes/pulls of unscanned or non-compliant images
  • Runtime (admission controller)- Kubernetes admission webhook (e.g. OPA/Gatekeeper) rejects unscanned images at deploy time

Hardened Dockerfile Snippet

Common hardening practices to reduce attack surface.

dockerfile
FROM node:18-alpine# Run as non-root userRUN addgroup -S appgroup && adduser -S appuser -G appgroupWORKDIR /appCOPY --chown=appuser:appgroup . .RUN npm ci --only=productionUSER appuserEXPOSE 3000CMD ["node", "server.js"]

Key Concepts

Terms commonly encountered in container security tooling.

  • SBOM (Software Bill of Materials)- Machine-readable inventory of all components/packages in an image, e.g. produced by Syft
  • Base image minimization- Prefer distroless or alpine images to shrink the vulnerability surface
  • CVSS score- Standardized severity score (0-10) used to prioritize remediation
  • Admission controller- Kubernetes component that can accept/reject resources at creation time based on policy
Pro Tip

Pin base images by digest, not just tag, in production Dockerfiles — a mutable tag like `node:18-alpine` can silently change under you and reintroduce a vulnerability you already remediated.

Was this cheat sheet helpful?

Explore Topics

#ContainerSecurityScanning#ContainerSecurityScanningCheatSheet#DevOps#Intermediate#TrivyImageScan#GrypeVulnerabilityScan#WhereToScanInThePipeline#HardenedDockerfileSnippet#Security#Docker#CheatSheet#SkillVeris