Container Security Scanning Tools
Modern applications rely on containers, and vulnerabilities in base images or dependencies can move into production faster than ever. Understanding practical scanning tools helps developers ship safer code without slowing delivery.
As someone who has spent years building and maintaining microservice platforms, I still remember the first time a production alert pinged me at 2 AM because a base image update introduced a known CVE. It was not a flashy zero-day or an exotic exploit. It was a simple oversight: the team upgraded an Alpine base image, picked up a patched library that still had a vulnerability flag in the vulnerability database, and our scanning pipeline had been disabled to “unblock the release.” That incident did not cause a breach, but it did cause a sleepless night and a weekend of incident response. It is a common story, and it is why container security scanning has become a nonnegotiable part of modern development workflows.
In this post, I will share how container security scanning tools fit into real projects, which tools are practical for different scenarios, and how to wire them into everyday development without creating friction. We will look at concrete patterns, configuration examples, and tradeoffs I have encountered in production environments. We will avoid marketing slides and focus on what works when you need to ship features and keep risk in check. If you are a developer trying to balance speed, reliability, and security, this guide will help you choose tools, set up workflows, and avoid common pitfalls.
Why container security scanning matters now
Container adoption has matured, and so has the attack surface. Teams rely on curated base images, language package managers, and third‑party images to move quickly. The problem is that each layer can introduce vulnerabilities, misconfigurations, or secrets. Modern CI/CD pipelines push code to production in minutes, which means vulnerable images can deploy just as fast. Regulatory pressures and audit requirements also increase scrutiny on software supply chains.
Security scanning tools are designed to inspect images, filesystem layers, and runtime configurations before they reach production. They catalog known vulnerabilities using public databases such as the National Vulnerability Database (NVD) and language‑specific advisories. They also scan for secrets, misconfigurations, and compliance issues. The goal is not to block every change but to provide actionable, prioritized risk information so developers can make informed decisions.
In the broader tooling landscape, scanning sits alongside practices like dependency scanning for source code and infrastructure as code security. The difference with containers is the breadth of components bundled into a single artifact. An image can include operating system packages, application runtimes, libraries, and configuration files. Scanning must account for all layers, which makes tool selection and tuning critical.
Where container scanning fits in the modern stack
Most teams use containers to package applications for local development, testing, and production. The workflow usually looks like this:
- Developers build images locally or in CI.
- Images are pushed to a registry.
- Deployments pull images from the registry to orchestration platforms like Kubernetes or ECS.
- Scanning occurs either in CI before pushing or in the registry before deployment, and sometimes continuously for running images.
Scanning tools typically fall into these categories:
- Image vulnerability scanners: Identify CVEs across OS and language packages.
- Secret scanners: Detect credentials, tokens, and keys in image layers.
- Misconfiguration scanners: Evaluate Dockerfiles and Kubernetes manifests for best practices.
- Runtime and posture management: Monitor running containers for drift, policy violations, and new vulnerabilities.
The market includes open source projects and commercial products. In this post, we will focus on tools with strong open source roots and practical adoption, including Trivy, Grype, Snyk, Anchore Syft and Anchore Engine, and Notary for signing. We will also discuss workflow integration, tuning, and operational considerations.
Core concepts: how scanning works under the hood
Before diving into tools, it helps to understand the mechanics. A container image is composed of layers, each representing a set of filesystem changes. Scanning tools parse image manifests and extract package metadata from each layer. For Alpine images, they look at the APK database; for Debian, they check dpkg; for Red Hat, they check RPM. For language ecosystems, they inspect lock files and manifests such as package-lock.json, requirements.txt, go.mod, and others.
Once the inventory of packages and versions is built, the scanner matches those entries against vulnerability databases. Matching logic varies:
- Exact version match: A package version is matched to an advisory for that version.
- Version range evaluation: Some ecosystems define affected version ranges, which scanners must interpret.
- Base image and patch status: For OS packages, scanners may consider patch status from upstream distributions.
Scanners also evaluate Dockerfile instructions and Kubernetes manifests. For example, running as root, missing resource limits, or overly permissive capabilities can trigger warnings.
Finally, scanners generate a bill of materials (SBOM) and a report. An SBOM is a machine‑readable inventory of components and dependencies. It is useful for compliance, supply chain audits, and rapid impact analysis when a new vulnerability is disclosed.
Practical tools and how to use them
There is no single tool that fits every team and stack. In practice, I use different tools for different purposes, and I combine them when necessary. Below are tools I have used in real pipelines and some example patterns.
Trivy
Trivy is a simple, fast vulnerability scanner for containers and other artifacts. It is written in Go and maintained by Aqua Security. It scans local images, remote registries, and filesystems. It also supports SBOM generation and IaC scanning.
Trivy is my default starting point for new projects because it is fast and easy to integrate. It has a straightforward CLI and sensible defaults. It can scan both OS packages and language dependencies.
Example: scanning a local image
# Install Trivy (macOS via Homebrew)
brew install trivy
# Pull an image to test
docker pull nginx:1.25-alpine
# Scan the image
trivy image nginx:1.25-alpine
# Generate an SBOM in CycloneDX format
trivy image --format cyclonedx nginx:1.25-alpine > sbom.json
Trivy’s output includes CVE IDs, severity, package names, versions, and fixed versions. For CI pipelines, you can set a severity threshold and fail the build if vulnerabilities exceed it.
Example: CI integration with a severity gate
# Fail on HIGH and CRITICAL vulnerabilities
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest
Trivy also supports an ignore file (.trivyignore) to suppress known issues you have accepted risk for, with a comment explaining the rationale.
# .trivyignore
# Acceptable risk: internal-only image behind a VPN with limited exposure
CVE-2023-12345
Grype
Grype is a vulnerability scanner for container images and filesystems, maintained by Anchore. It focuses on matching packages to vulnerability sources and can generate SBOMs. It pairs well with Syft, which generates SBOMs.
Grype is useful when you want a narrow, well-scoped scanning tool that can be chained into broader pipelines. It integrates nicely with policy evaluation later.
Example: scanning with Grype
# Install Grype
brew install grype
# Scan an image
grype myapp:latest
# Output to JSON for CI processing
grype myapp:latest -o json > grype-report.json
You can also create policies to fail builds on specific severities or CVEs. Policies are defined in YAML and evaluated by Grype or Anchore Engine.
Example: simple policy snippet
# policy.yaml
policies:
- name: fail-critical
version: "1.0"
description: Fail on critical vulnerabilities
rules:
- id: rule-1
action: stop
condition: vulnerability.severity == "Critical"
Anchore Syft and Anchore Engine
Syft generates SBOMs from container images and filesystems. It supports multiple formats, including SPDX and CycloneDX. Anchore Engine evaluates SBOMs against policies, providing more control over gating and compliance.
In a supply chain security context, Syft is excellent for producing consistent SBOMs that can be stored with artifacts. Anchore Engine or a commercial equivalent (like Anchore Enterprise) can enforce policies on those SBOMs.
Example: generating SBOM with Syft and evaluating with Grype
# Generate SBOM in SPDX format
syft myapp:latest -o spdx-json > sbom.spdx.json
# Scan the SBOM for vulnerabilities
grype sbom:sbom.spdx.json
Snyk
Snyk offers a developer-first approach to security, covering containers, code, dependencies, and IaC. The Snyk CLI and IDE plugins integrate scanning into everyday development.
Snyk’s strength is in developer experience and broad ecosystem coverage, including language-specific advisories and license scanning. The tradeoff is that it is a commercial service with usage tiers.
Example: scanning a container image with Snyk
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Scan a container image
snyk container test myapp:latest
# Monitor for ongoing tracking
snyk container monitor myapp:latest
Snyk can also scan Dockerfiles for misconfigurations and suggest fixes.
Notary and Cosign (Signing)
Scanning is one half of trust; signing is the other. Notary v1 and v2 provide a framework for signing and verifying content. Cosign, part of the Sigstore project, is a modern approach to container signing using keyless signatures.
Signing images ensures that what you scan is what you deploy. It is crucial for preventing tampering and ensuring provenance.
Example: signing with Cosign
# Install Cosign
brew install cosign
# Sign an image using keyless (requires OIDC)
cosign sign --yes myregistry/myapp:latest
# Verify an image
cosign verify myregistry/myapp:latest --certificate-identity-regexp ".*" --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
Integrating scanning into CI/CD pipelines
The best scanning tool is the one that runs consistently and provides actionable feedback. In practice, I integrate scanning at two points: build time and registry time.
- Build time: Scan images immediately after building in CI. Fail the build if severity thresholds are exceeded or if specific high-impact CVEs appear.
- Registry time: Scan images in the registry before deployment. This provides a second check and prevents unscanned images from being pulled.
You can also add secret scanning to catch credentials in image layers or build contexts.
Example: GitHub Actions workflow with Trivy and Cosign
name: Build, Scan, and Sign
on:
push:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan image with Trivy
run: |
trivy image --exit-code 1 --severity HIGH,CRITICAL ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign image
run: |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
This workflow builds, pushes, scans, and signs in one pass. For organizations with stricter policies, you can gate the push step on scan results or require manual approval.
Handling false positives and tuning
No scanner is perfect. False positives happen due to mismatched package names, backported fixes, or ecosystem quirks. The key is to tune the tool rather than ignore it.
Strategies that work:
- Use ignore files with comments explaining the rationale.
- Map vulnerabilities to your actual deployment context. For example, if a CVE only affects Windows and you run Linux, note it and exclude it.
- Pin base images and update intentionally. Scanning becomes more predictable when you control version bumps.
- Focus on exploitable components. Vulnerabilities in build-time tools often matter less than those in runtime libraries.
- Maintain a review cadence. Weekly triage keeps noise down and prevents backlog buildup.
Example: Trivy ignore file with context
# .trivyignore
# This CVE affects a Windows-only component; our images are Linux only
CVE-2023-99999
# Patched via Alpine backport; fixed version is not reflected in NVD yet
CVE-2022-11111
Secrets, misconfigurations, and image hygiene
Scanning for vulnerabilities is only part of the story. Secrets often leak through build contexts, environment files, or cached layers. Tools like Trivy have secret scanning, and dedicated tools like GitGuardian or gitleaks can be used in CI.
Misconfiguration scanning covers Dockerfile instructions and Kubernetes manifests. Trivy supports IaC scanning, and tools like kube-lint or checkov can evaluate Kubernetes YAML for security best practices.
Example: Trivy IaC scanning
# Scan Dockerfile for misconfigurations
trivy config Dockerfile
# Scan Kubernetes manifests
trivy config k8s/
Common misconfigurations to avoid:
- Running containers as root.
- Storing secrets in environment variables instead of a secrets manager.
- Missing resource limits and requests.
- Overly permissive security contexts.
SBOMs and supply chain transparency
SBOMs are increasingly required for compliance and audit. They provide a snapshot of what is inside your image, which is invaluable when a new vulnerability is disclosed and you need to find affected services quickly.
Syft is excellent for generating SBOMs in CI. You can store them as artifacts or push them to an artifact repository. Then, when a CVE hits, you can query SBOMs to identify impacted services.
Example: generating and storing an SBOM
# Generate CycloneDX SBOM
syft myapp:latest -o cyclonedx-json > sbom.cdx.json
# Upload to an artifact store (pseudo command)
# curl -X POST -H "Content-Type: application/json" --data-binary @sbom.cdx.json https://artifacts.example.com/sboms
Strengths, weaknesses, and tradeoffs
Trivy:
- Strengths: Fast, easy to use, supports images, filesystems, and IaC, good CI integration, open source.
- Weaknesses: Tuning may be needed to reduce noise; scanning depth depends on package detection accuracy.
- Best for: Teams that want a simple, reliable scanning tool that covers most needs.
Grype:
- Strengths: Accurate vulnerability matching, integrates with Syft for SBOM workflow, focused scope.
- Weaknesses: Less opinionated on policy; requires additional components for governance.
- Best for: Teams building SBOM-centric pipelines or using Anchore stack.
Snyk:
- Strengths: Broad coverage, developer-friendly IDE integrations, license scanning.
- Weaknesses: Commercial service, pricing depends on usage.
- Best for: Teams seeking a unified developer security platform with minimal setup.
Anchore Engine / Enterprise:
- Strengths: Policy enforcement, compliance features, SBOM management.
- Weaknesses: Operational overhead, requires infrastructure.
- Best for: Organizations with strict compliance requirements.
Notary / Cosign:
- Strengths: Provenance and integrity through signing, integrates with modern registries.
- Weaknesses: Requires key management or OIDC setup; not all registries fully support signing workflows.
- Best for: Supply chain security and provenance enforcement.
In general, if you are starting from scratch, Trivy is a solid default. As you mature, layer in SBOM generation with Syft and policy enforcement with Anchore. For developer experience and broad coverage, Snyk is a strong choice. Always include signing with Cosign for trusted deployments.
Personal experience: lessons from real pipelines
I have integrated scanning into Node.js, Python, Go, and Java projects, each with its own quirks. In Node.js applications, scanning package-lock.json usually gives accurate results. However, I have seen false positives when dependencies are overridden with npm resolutions or when using monorepos with hoisting. The fix is to ensure scanners operate on the final, locked dependency tree used in the image rather than the source tree alone.
In Python projects, the most common issue is mixing system packages with pip packages. Alpine images use musl libc, and some Python wheels are not fully compatible. Scanners sometimes misclassify packages if the wrong package manager metadata is present. Pinning base images and avoiding multi-stage build leaks reduced noise in my teams.
Go binaries are statically linked, which can confuse scanners that look for package metadata in the image. Here, SBOM generation at build time using tools like Syft or the Go module information helps. I also instrument build images to include minimal metadata, even for scratch-based deployments.
One memorable incident involved a “quick fix” to upgrade a popular logging library. The upgrade introduced a transitive dependency with a CVE. Our CI passed because the scanner threshold allowed MEDIUM severity. The registry scan caught it and blocked deployment. Since then, we adopted a two-stage scan with different thresholds for CI and registry, and we keep a list of “block-on” CVEs for specific libraries regardless of severity.
Another learning was around secret scanning. We once found an AWS access key in an image layer due to a COPY instruction that pulled in a local .env file. It was not logged in Git, but it lingered in the build context. Adding secret scanning to CI prevented a recurrence.
Getting started: workflow and mental model
If you are new to container scanning, start with a simple mental model:
- Build images reproducibly and tag them meaningfully.
- Scan immediately after building, fail on high severity, and generate an SBOM.
- Sign images before pushing or after pushing with a keyless workflow.
- Scan again in the registry, with stricter policies if needed.
- Maintain an ignore file and a triage process.
Here is a minimal project structure for a service with scanning integrated:
myapp/
├── Dockerfile
├── .trivyignore
├── .github/
│ └── workflows/
│ └── ci.yml
├── k8s/
│ └── deployment.yaml
├── src/
│ └── app.js
├── package.json
└── package-lock.json
Example Dockerfile with minimal attack surface and metadata labels:
# Dockerfile
FROM node:20-alpine
# Labels for metadata
LABEL org.opencontainers.image.source="https://github.com/example/myapp"
WORKDIR /app
# Copy only files needed for runtime
COPY package.json package-lock.json ./
RUN npm ci --only=production
COPY src ./src
# Run as non-root user
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
USER nodejs
# Health check
HEALTHCHECK CMD node healthcheck.js
CMD ["node", "src/app.js"]
Example CI workflow with scanning and signing:
# .github/workflows/ci.yml
name: CI, Scan, and Sign
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
test-and-build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image locally for scanning
run: |
docker build -t ${{ env.IMAGE_NAME }}:pr .
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan image in PR
run: |
# Block PRs on critical vulnerabilities only
trivy image --exit-code 1 --severity CRITICAL ${{ env.IMAGE_NAME }}:pr
- name: Log in to registry if merging
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push main image
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Install Cosign
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@v3
- name: Sign image
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
In this workflow, PRs build and scan with a strict threshold for critical issues only. Merges to main push, scan again, and sign. This pattern balances speed and safety.
Developer experience and maintainability
What makes scanning tools stand out is not just detection accuracy but how they fit into developer workflows. If scanning is slow, noisy, or brittle, developers will find workarounds. Good tools provide:
- Fast scans with clear output.
- Stable interfaces and predictable behavior.
- Integration with registries and CI platforms.
- Tunable policies and ignore mechanisms.
- SBOM generation in standard formats.
Maintainability improves when scanning is part of a shared workflow rather than a personal script. Store policies in version control, document triage decisions, and review thresholds regularly. Treat scanning configuration as infrastructure.
Free learning resources
- Trivy documentation: https://aquasecurity.github.io/trivy/
- Grype documentation: https://github.com/anchore/grype
- Syft documentation: https://github.com/anchore/syft
- Snyk container scanning: https://docs.snyk.io/products/snyk-container
- Cosign documentation: https://docs.sigstore.dev/cosign/overview
- NVD data and CVEs: https://nvd.nist.gov/
- OWASP Container Security: https://owasp.org/www-project-container-security/
These resources provide practical guides, examples, and up‑to‑date references. Trivy’s and Grype’s official docs are especially helpful for CI integration details, while Cosign’s documentation covers signing workflows in modern registries.
Who should use container scanning tools and who might skip them
Container security scanning is valuable for:
- Teams deploying containers to production, especially in regulated industries.
- Open source maintainers who want to provide secure base images and SBOMs.
- Platform engineers who curate internal base images and golden paths for developers.
- Developers building microservices who need quick feedback on vulnerabilities.
There are situations where the overhead may outweigh the benefits:
- Ephemeral or disposable dev environments where images never leave the local machine and contain no secrets.
- Extremely small projects with no external dependencies, though even these benefit from a basic scan to avoid surprises.
- Environments where tooling constraints prevent installing scanners, although cloud-hosted registries often include scanning features.
For most teams building and shipping containerized applications, scanning is a foundational practice. The cost of ignoring vulnerabilities usually exceeds the cost of tuning and integrating tools.
Conclusion and takeaway
Container security scanning tools help developers balance speed with safety. Trivy, Grype, Snyk, and Anchore each bring strengths to different stages of a pipeline. SBOM generation via Syft and image signing with Cosign strengthen the software supply chain. The key is not to pick the “best” tool but to integrate scanning consistently, tune it to your context, and keep it visible in your workflow.
If you are just starting, adopt Trivy for quick wins and add SBOM and signing as you mature. If you need policy and compliance, consider Anchore. If developer experience is a priority, Snyk can streamline adoption across teams. In all cases, make scanning a normal part of building and deploying, not an afterthought. That 2 AM alert I mentioned earlier may never happen again, but if it does, you will have the context and tools to respond quickly and confidently.
