Shift-left security with image scanning. Trivy, policy gates, and runtime integration.

On this page

Container Image Scanning in CI and at Runtime

Catching vulnerabilities in images before they run in production is a security best practice. Here’s how to do it.

In CI #

Scan every build (e.g. Trivy, Snyk, Grype) in the pipeline.
Policy: Block or fail on CRITICAL/HIGH; warn on MEDIUM; allow LOW with tracking.
Base image: Prefer minimal bases; track and update when base gets fixes.

bash.bash

trivy image --exit-code 1 --severity CRITICAL,HIGH myimage:tag

At Runtime / Registry #

Registry scanning (ECR, GCR, Harbor) for a second layer.
Admission control: In Kubernetes, block pods whose images fail policy (e.g. Connaisseur, OPA).

Best Practices #

Fix or mitigate critical/high before release; don’t “suppress” without a ticket.
SBOM: Generate and store software bill of materials for compliance and incident response.
Runtime: Complement with runtime security (e.g. Falco) for behavior-based detection.

Image scanning is one part of defense in depth; combine with minimal images and supply chain signing.

Container Image Scanning in CI and at Runtime

Container Image Scanning in CI and at Runtime

In CI #

At Runtime / Registry #

Best Practices #

Stay Updated

Operational Checklist: Docker Image Hardening for Production

Systemd Tricks We Use to Keep Services Boring

More from DevOps

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

Incident Postmortems That Actually Prevent Repeat Failures

Zero Trust on AWS: Lessons From Implementing IAM Identity Center

Database Migrations Without Downtime: Patterns From Three Real Cutovers

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

AI Model Deployment Strategies: From Development to Production

Container Image Scanning in CI and at Runtime

In CI#

At Runtime / Registry#

Best Practices#

Stay Updated

Operational Checklist: Docker Image Hardening for Production

Systemd Tricks We Use to Keep Services Boring

More from DevOps

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

AI Model Deployment Strategies: From Development to Production

In CI #

At Runtime / Registry #

Best Practices #