Scanning Container Security

Overview

Scan container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance violations using Trivy, Grype, Snyk Container, and Hadolint. Analyze base images, OS packages, application dependencies, and runtime configurations to produce actionable security reports with remediation guidance.

Prerequisites

• Container scanning tool installed: trivy, grype, snyk, or docker scout
• Dockerfile linter: hadolint for Dockerfile best practice validation
• Docker daemon running for local image scanning
• Access to the container images to scan (local, registry, or tar archive)
• jq for parsing JSON scan results

Instructions

1. Identify target images for scanning: production images, base images, and CI-built images
2. Lint Dockerfiles with hadolint Dockerfile to catch misconfigurations before build (privileged instructions, pinned versions, shell best practices)
3. Scan built images for OS-level vulnerabilities: trivy image <image:tag> or grype <image:tag>
4. Scan for application dependency vulnerabilities: check language-specific packages (npm, pip, Maven, Go modules) embedded in the image