Shift-left security with image scanning. Trivy, policy gates, and runtime integration.

On this page

Container Image Scanning in CI and at Runtime

Catching vulnerabilities in images before they run in production is a security best practice. Here’s how to do it.

In CI #

Scan every build (e.g. Trivy, Snyk, Grype) in the pipeline.
Policy: Block or fail on CRITICAL/HIGH; warn on MEDIUM; allow LOW with tracking.
Base image: Prefer minimal bases; track and update when base gets fixes.

bash.bash

trivy image --exit-code 1 --severity CRITICAL,HIGH myimage:tag

At Runtime / Registry #

Registry scanning (ECR, GCR, Harbor) for a second layer.
Admission control: In Kubernetes, block pods whose images fail policy (e.g. Connaisseur, OPA).

Best Practices #

Fix or mitigate critical/high before release; don’t “suppress” without a ticket.
SBOM: Generate and store software bill of materials for compliance and incident response.
Runtime: Complement with runtime security (e.g. Falco) for behavior-based detection.

Image scanning is one part of defense in depth; combine with minimal images and supply chain signing.

Container Image Scanning in CI and at Runtime

Container Image Scanning in CI and at Runtime

In CI #

At Runtime / Registry #

Best Practices #

Stay Updated

Cloud Security Best Practices: Securing Your AWS Infrastructure

Systemd Tricks We Use to Keep Services Boring

More from DevOps

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

Argo Rollouts — Progressive Delivery Beyond Argo CD

Cross-Cloud Identity Federation — Patterns That Replaced Our Long-Lived Keys

Handling Vulnerabilities in Production — What We Actually Do

About Kiril Urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

Linux Performance Tuning for Containers and Kubernetes Nodes

Container Image Scanning in CI and at Runtime

In CI#

At Runtime / Registry#

Best Practices#

Stay Updated

Cloud Security Best Practices: Securing Your AWS Infrastructure

Systemd Tricks We Use to Keep Services Boring

More from DevOps

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

About Kiril Urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

Linux Performance Tuning for Containers and Kubernetes Nodes

In CI #

At Runtime / Registry #

Best Practices #