Container Image Security Scanning: A Practitioner's Guide

The three most widely deployed open-source and commercial container scanners each have different strengths that make them appropriate for different contexts.

Trivy (Aqua Security, open source): The most versatile scanner in the ecosystem — scans container images, filesystems, Git repositories, IaC configurations (Terraform, CloudFormation, Kubernetes manifests), and SBOMs in a single tool. Trivy is the scanner used by GitHub's Dependency Review Action and is integrated into many CI/CD platforms natively. Its vulnerability database pulls from multiple sources (NVD, GitHub Security Advisories, OS-specific advisories) and updates frequently. For teams that want a single scanner across their entire stack (containers, IaC, code), Trivy is the practical default.

Grype (Anchore, open source): Pairs with Syft for SBOM-first scanning workflows — Syft generates the SBOM, Grype scans it. This separation is valuable when you want to generate an SBOM as an artifact and scan it separately or at a later stage. Grype has a smaller feature set than Trivy but excels in its core container and SBOM scanning use case.

Snyk Container (commercial with free tier): Provides the most actionable output of any scanner, including base image upgrade recommendations that show exactly how many vulnerabilities would be eliminated by switching to a specific newer base image version. Snyk's fix advice is its primary advantage over open-source alternatives. The developer-facing interface (IDE plugins, pull request status checks) is also more polished than Trivy or Grype.

The single most effective container security control is base image selection. Most container vulnerability density comes from OS packages in the base image — not from your application code. Choosing a minimal base image eliminates entire categories of vulnerabilities that never needed to be present.

Base image hierarchy from most to least vulnerable: full Ubuntu/Debian (hundreds of CVEs in the OS package set, many irrelevant to your application), Ubuntu/Debian slim variants (smaller package set, reduced but still significant vulnerability exposure), Alpine Linux (musl libc-based, minimal package set, dramatically lower CVE count but may require compatibility testing), Chainguard/Wolfi-based images (built for minimal vulnerability footprint, often zero-CVE at time of publication), Distroless images (Google's base images with no package manager, shell, or OS utilities — only the application runtime and its direct dependencies).

Distroless images (gcr.io/distroless/*) are the strongest choice for production deployments where you do not need a shell or package manager in the running container. They eliminate the attack surface from every OS utility that is not required to run your application. The tradeoff is that debugging requires separate tooling (ephemeral debug containers in Kubernetes) — but in production, this is an acceptable operational change for the security benefit.

Integrating container scanning into CI/CD pipelines requires a policy that distinguishes between scan results that should block a build and results that should generate alerts without blocking. Blocking every build with any HIGH or CRITICAL finding will grind deployment to a halt — most images have HIGH findings in packages that are not reachable by your application.

Practical pipeline policy: Block builds on CRITICAL findings with a known exploit in a reachable package (scanner support for reachability analysis varies — Snyk and Trivy with --ignore-unfixed flag provide this). Alert (do not block) on HIGH findings and require resolution within a defined SLA (typically 30 days). Ignore Medium and Low unless the finding is in a package your application directly calls.

Tooling for CI/CD integration: Trivy with `--exit-code 1 --severity CRITICAL --ignore-unfixed` blocks only on CRITICAL CVEs with available fixes. Pair this with a `.trivyignore` file for documented exceptions with expiration dates. For Kubernetes admission control, integrate scanning into the cluster via admission webhooks (Trivy Operator, Snyk's Kubernetes integration) that prevent deployment of images with unacceptable findings.

Container security starts in the Dockerfile. Misconfigured build instructions create vulnerabilities that no scanner will surface because they represent misconfigurations rather than CVEs.

Dockerfile security checklist: (1) Never run as root — add a `USER` instruction to run the container process as a non-root user with the minimum permissions required. (2) Use specific image tags, not `latest` — `FROM python:3.12.4-slim` not `FROM python:latest`. Floating tags allow the base image to change unpredictably between builds. (3) Minimize layers that run as root — separate `apt-get install` operations from application code and drop privileges before copying application files. (4) Do not include secrets in build arguments or environment variables — use runtime secret injection via Kubernetes Secrets or cloud secret managers. (5) Use multi-stage builds to separate build dependencies from runtime dependencies — your final image should contain only what the running application needs.

Linting Dockerfiles: Hadolint is the standard Dockerfile linter and enforces many of these best practices automatically. Integrate it into your pull request checks to catch Dockerfile issues at authoring time rather than at scan time.

Container security scanning is only valuable if the output is acted on. The combination of distroless or Alpine base images (eliminates most of the CVE noise), pipeline policies that block only on CRITICAL exploitable findings, and periodic registry scanning for post-build CVE disclosure covers the vast majority of container image risk. Scanner output without a prioritization and remediation workflow is just noise.