Image Scanning & CVE Management

You can write the most secure code in the world, but if your base image (FROM node:14) has a critical vulnerability in openssl, you are hacked.

Image Scanning is the process of inspecting the packages inside a container image (libraries, OS packages) and matching them against a database of known vulnerabilities (CVEs).

1. The Supply Chain Threat

Modern software is assembled, not written.

  • Your Code: 10%
  • Dependencies (NPM, Pip): 40%
  • OS Packages (apt, apk): 50%

A scanner generates a Software Bill of Materials (SBOM)—a list of every package in your image—and checks the National Vulnerability Database (NVD).

2. Interactive: Layer Vulnerability Scanner

Images are built in layers. Vulnerabilities often hide in base layers you didn’t even write.

IMAGE LAYERS (Click to Scan)

App Code (app.py)
Pip Packages (flask, requests)
OS Packages (apt-get install)
Base Image (python:3.6)

SCAN RESULTS

Select a layer to inspect contents...

3. Tools of the Trade

1. Trivy (by Aqua Security)

The industry standard open-source scanner. Fast, accurate, and comprehensive.

Scan an image:

trivy image python:3.4-alpine

Filter by severity:

trivy image --severity CRITICAL,HIGH python:3.9

Output as JSON (for parsing):

trivy image -f json -o results.json python:3.9

2. Docker Scout

Built directly into the Docker CLI (replaces docker scan).

docker scout quickview ubuntu:latest
docker scout cves ubuntu:latest

4. CI/CD Integration

You should block builds that contain critical vulnerabilities. Here is a GitHub Actions example:

name: Security Scan
on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Build Image
        run: docker build -t myapp .

      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp'
          format: 'table'
          exit-code: '1' # Fail the build!
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

[!TIP] Ignore Unfixed: Always set ignore-unfixed: true. If a vulnerability has no patch available from the vendor, breaking your build won’t help. You can’t fix it (other than switching OS).

5. Remediation Strategies

  1. Update Base Image: Switch from node:14 to node:20.
  2. Use Slimmer Bases: Switch from ubuntu (huge) to alpine (small) or distroless.
  3. Update Packages: Run apt-get update && apt-get upgrade in your Dockerfile (controversial, affects reproducibility) or pin newer versions.
  4. Rebuild Regularly: CVEs are discovered daily. Rebuild your images weekly even if code hasn’t changed.