Shift-left security with image scanning. Trivy, policy gates, and runtime integration.

Container Image Scanning in CI and at Runtime

Catching vulnerabilities in images before they run in production is a security best practice. Here’s how to do it.

In CI#

• Scan every build (e.g. Trivy, Snyk, Grype) in the pipeline.
• Policy: Block or fail on CRITICAL/HIGH; warn on MEDIUM; allow LOW with tracking.
• Base image: Prefer minimal bases; track and update when base gets fixes.

trivy image --exit-code 1 --severity CRITICAL,HIGH myimage:tag

At Runtime / Registry#

• Registry scanning (ECR, GCR, Harbor) for a second layer.
• Admission control: In Kubernetes, block pods whose images fail policy (e.g. Connaisseur, OPA).

Best Practices#

• Fix or mitigate critical/high before release; don’t “suppress” without a ticket.
• SBOM: Generate and store software bill of materials for compliance and incident response.
• Runtime: Complement with runtime security (e.g. Falco) for behavior-based detection.

Image scanning is one part of defense in depth; combine with minimal images and supply chain signing.