← Lessons

quiz vs the machine

Gold1380

Security

The Container Image Scanning

How scanning container images for known vulnerabilities catches risky packages before they reach production.

5 min read · core · beat Gold to climb

What Lives Inside an Image

A container image bundles an application together with its operating system packages and libraries. Any of those layers can contain a component with a known vulnerability that the developer never wrote but still ships.

How Scanning Works

An image scanner inspects each layer, builds a list of installed packages and versions, and compares them against a database of known vulnerabilities. Each match is reported with a severity rating.

  • It detects outdated operating system packages.
  • It detects vulnerable application dependencies.
  • It can flag embedded secrets and bad configuration.

Where Scanning Belongs

Scanning is most valuable early and often.

  • In the pipeline so a risky image fails the build before deploy.
  • In the registry so stored images are rescanned as new vulnerabilities are published.
  • At admission so a cluster refuses to run an unscanned image.

A vulnerability published after build is why registry rescanning matters even for unchanged images.

Key idea

Image scanning lists every package inside a container and checks it against a vulnerability database, catching risky components in the pipeline, the registry, and at admission before they run.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a container image scanner primarily check?

2. Why rescan an unchanged image already in the registry?

3. What does admission scanning enforce?