Container Security Scanning Cheat Sheet
Tools and workflows for scanning container images for vulnerabilities, misconfigurations, and secrets before deployment.
2 PagesIntermediateFeb 12, 2026
Trivy Image Scan
Scan a Docker image for OS and library vulnerabilities.
bash
# Basic scan, fail on HIGH/CRITICALtrivy image --severity HIGH,CRITICAL --exit-code 1 myapp:1.2.0# Scan a Dockerfile for misconfigurationstrivy config ./Dockerfile# Scan for exposed secrets in an imagetrivy image --scanners secret myapp:1.2.0
Grype Vulnerability Scan
Anchore's Grype scanner for images and filesystems.
bash
grype myapp:1.2.0 --fail-on high# Scan a local directory instead of an imagegrype dir:./build# Output SBOM-style JSON for CI artifactsgrype myapp:1.2.0 -o json > scan-results.json
Where to Scan in the Pipeline
Shift-left points for container security checks.
- Pre-commit / IDE- Lint Dockerfiles (hadolint) before code is even pushed
- CI build stage- Scan the built image and fail the pipeline on critical CVEs
- Registry admission- Block pushes/pulls of unscanned or non-compliant images
- Runtime (admission controller)- Kubernetes admission webhook (e.g. OPA/Gatekeeper) rejects unscanned images at deploy time
Hardened Dockerfile Snippet
Common hardening practices to reduce attack surface.
dockerfile
FROM node:18-alpine# Run as non-root userRUN addgroup -S appgroup && adduser -S appuser -G appgroupWORKDIR /appCOPY --chown=appuser:appgroup . .RUN npm ci --only=productionUSER appuserEXPOSE 3000CMD ["node", "server.js"]
Key Concepts
Terms commonly encountered in container security tooling.
- SBOM (Software Bill of Materials)- Machine-readable inventory of all components/packages in an image, e.g. produced by Syft
- Base image minimization- Prefer distroless or alpine images to shrink the vulnerability surface
- CVSS score- Standardized severity score (0-10) used to prioritize remediation
- Admission controller- Kubernetes component that can accept/reject resources at creation time based on policy
Pro Tip
Pin base images by digest, not just tag, in production Dockerfiles — a mutable tag like `node:18-alpine` can silently change under you and reintroduce a vulnerability you already remediated.
Was this cheat sheet helpful?
Explore Topics
#ContainerSecurityScanning#ContainerSecurityScanningCheatSheet#DevOps#Intermediate#TrivyImageScan#GrypeVulnerabilityScan#WhereToScanInThePipeline#HardenedDockerfileSnippet#Security#Docker#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance