Get the latest tutorials, guides, and insights on AI, DevOps, Cloud, and Infrastructure delivered directly to your inbox.
Container security is critical. This guide shows you how to scan Docker images for vulnerabilities and integrate scanning into your pipeline.
Trivy is a comprehensive security scanner:
# Install Trivy
brew install trivy
# Scan image
trivy image nginx:latest
# Scan with JSON output
trivy image -f json -o report.json nginx:latest
# Scan for specific severity
trivy image --severity HIGH,CRITICAL nginx:latest
# GitHub Actions
name: Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build image
run: docker build -t myapp .
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp
format: 'sarif'
output: 'trivy-results.sarif'
# Use specific versions
FROM node:18-alpine
# Run as non-root user
RUN addgroup -g 1000 appuser && \
adduser -D -u 1000 -G appuser appuser
USER appuser
# Minimize layers
RUN apt-get update && apt-get install -y package && \
rm -rf /var/lib/apt/lists/*
# Scan during build
# docker build --security-opt seccomp=unconfined .
# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Production stage
FROM node:18-alpine
RUN addgroup -g 1000 appuser && \
adduser -D -u 1000 -G appuser appuser
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER appuser
CMD ["node", "dist/index.js"]
import subprocess
import json
def scan_image(image_name):
result = subprocess.run(
["trivy", "image", "-f", "json", image_name],
capture_output=True,
text=True
)
report = json.loads(result.stdout)
# Check for critical vulnerabilities
critical_vulns = [
v for v in report.get("Results", [{}])[0].get("Vulnerabilities", [])
if v.get("Severity") == "CRITICAL"
]
if critical_vulns:
raise Exception(f"Found {len(critical_vulns)} critical vulnerabilities")
return report
Container security scanning should be part of every deployment pipeline. Start with Trivy and gradually add more sophisticated scanning tools.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
For Container Security Scanning: Protecting Your Docker Images, define pre-deploy checks, rollout gates, and rollback triggers before release. Track p95 latency, error rate, and cost per request for at least 24 hours after deployment. If the trend regresses from baseline, revert quickly and document the decision in the runbook.
Keep the operating model simple under pressure: one owner per change, one decision channel, and clear stop conditions. Review alert quality regularly to remove noise and ensure on-call engineers can distinguish urgent failures from routine variance.
Repeatability is the goal. Convert successful interventions into standard operating procedures and version them in the repository so future responders can execute the same flow without ambiguity.
RAG Retrieval Quality Evaluation. Practical guidance for reliable, scalable platform operations.
Model Serving Observability Stack. Practical guidance for reliable, scalable platform operations.
Explore more articles in this category
SLO-Based Monitoring for APIs. Practical guidance for reliable, scalable platform operations.
Secure Container Supply Chain Controls. Practical guidance for reliable, scalable platform operations.
Incident Response for Platform Teams. Practical guidance for reliable, scalable platform operations.