⌘K
ENES
GitHub
conceptDevSecOps~1 min readUpdated Apr 23, 2026

Image Scanning

Definition

Image scanning is the process of inspecting container images for known vulnerabilities, risky packages, and other issues before promotion or deployment.

Why it matters

Image scanning is useful, but only when placed in the right context. It does not replace dependency management, build integrity, or secure base image strategy. It is one signal inside a larger DevSecOps system. This note stays intentionally narrow: scanning helps surface known issues, but it cannot by itself prove a container is well designed, minimally privileged, or safely promoted.

Attacker perspective

Attackers benefit when teams: - trust scan output blindly - ignore unscanned images and side paths - use vulnerable bases because “the build passed” - rely on scanning without fixing or prioritization

Defender perspective

Defenders should: - treat scanning as one control among many - scan early and before release - prioritize by exploitability and exposure, not just count - understand scanner blind spots and false confidence risks

Practical examples

  • images pass a scan gate but still contain risky unused tooling and poor defaults
  • a side-loaded image path bypasses scanning entirely
  • teams scan but do not triage or remediate meaningfully

References

  • Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final
  • Foundational: OWASP Software Supply Chain Security Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet.html

Explore nearby notes

DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsContainer SecurityContainer security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns.