Container image scanning that catches real risk
Most container scans drown teams in noise. Here is how to scan with Trivy or Grype, prioritize by exploitability, and gate deployments without breaking releases.
Container image scanning identifies known vulnerabilities in OS packages and language libraries baked into a container image. Trivy (Aqua), Grype (Anchore), Clair, Snyk Container, and the integrated scanners in AWS ECR, GitHub Container Registry, and GitLab Container Registry are the practical options. Trivy and Grype are open-source, fast, and have largely replaced earlier tools because they aggregate the National Vulnerability Database with distro-specific feeds — Alpine SecDB, Debian Security Tracker, Red Hat Security Data — giving accurate fixed-status data.
A naive scan of a Java or Python image returns hundreds of CVEs, most of them unreachable in your code path. Severity alone is insufficient; not every CVSS 9.8 is exploitable in your context. Use exploitability filters. EPSS (Exploit Prediction Scoring System) from FIRST.org assigns each CVE a probability of exploitation in the next 30 days. Combine: severity (CVSS) plus exploitability (EPSS plus CISA KEV) plus reachability (does the affected function get called from your entry points) yields an actionable shortlist.
Scan in three places. First, in CI on every pull request — fail the build on critical CVEs introduced by new dependencies or new base image. Second, in the registry — re-scan periodically as new CVEs are disclosed against images already pushed; an image clean at build time is dirty a week later. Third, at deploy time — admission controllers like Kyverno, OPA Gatekeeper, or the cloud CNCF tools enforce a policy gate. Fourth optionally, at runtime — Falco and Tetragon detect exploitation behavior.
Reduce the attack surface so scans return less. Use minimal base images — distroless, Alpine, Chainguard Images, Wolfi — that ship without shells, package managers, or unrelated binaries. Multi-stage builds copy only the application binary into the final image. Run as non-root with a read-only root filesystem. SBOMs generated by the build pipeline (Syft, BuildKit attestations, Docker Buildx SBOM output) attach to images so CVE matching at deploy time uses the actual contents, not best-effort detection. The combination of slim images and policy-gated CI catches more risk with less alert fatigue than any single tool.
Related reading
AWS security baseline checklist for new accounts
A new AWS account is wide open by default. Twenty controls applied in the first week prevent 90 percent of cloud incidents — here is the list.
Azure security on day one: a tenant-level hardening guide
Azure tenants come with risky defaults — Conditional Access disabled, security defaults insufficient. Here is the day-one hardening that actually moves the dial.
Kubernetes security baseline: clusters that survive contact
A vanilla Kubernetes cluster is not production-ready. The CIS Kubernetes Benchmark, NSA hardening guide, and Pod Security Standards translate to a practical first week.