What is container image scanning?
Container image scanning is the automated process of analyzing container images for security vulnerabilities, misconfigurations, and compliance violations. This process examines all layers of a container image, including the base operating system, application dependencies, libraries, and configuration files.
Container image scanning is primarily static analysis that examines images before deployment. Organizations complement image scanning with runtime monitoring to validate which vulnerabilities are actually exploitable in production environments. Static scanning catches issues early in the development lifecycle, while runtime monitoring provides context about active threats and loaded packages.
Container images are immutable snapshots that contain everything needed to run an application. Because these images are static, any vulnerabilities in the base image propagate to all containers built from them. This makes it critical to inspect every one of the image layers to identify where security risks might be hiding.
Container Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the no-brainer container security best practices and explores advanced techniques that you can put into action ASAP. Use this cheat sheet as a quick reference to ensure you have the proper benchmarks in place to secure your container environments.
Why container image scanning is critical for cloud security
Containers are ephemeral by design. According to Sysdig's 2023 Cloud-Native Security and Usage Report, many containerized workloads in production environments live less than five minutes, making traditional security approaches that rely on persistent infrastructure ineffective. This rapid churn can lead to container sprawl, creating blind spots when organizations run thousands of containers across multiple environments without proper visibility.
Under the shared responsibility model, organizations must secure the container images they build or consume. This is vital for supply chain security, as third-party base images and open-source components often contain hidden risks. A single vulnerable image can compromise multiple workloads when it is reused across different deployments, particularly concerning given that 87% of container images contain high or critical vulnerabilities.
Adopting a shift-left security approach allows you to catch vulnerabilities before production, significantly reducing risk and remediation costs. When misconfigured to run with elevated privileges (such as root access or excessive capabilities), containers become high-value attack targets. Following least-privilege principles—running containers as non-root users and dropping unnecessary Linux capabilities—significantly reduces this attack surface. Compliance frameworks require vulnerability management with varying specificity. PCI DSS explicitly mandates quarterly vulnerability scanning (Requirement 11.2). HIPAA requires risk-based vulnerability assessments under the Security Rule. SOC 2 evaluates whether organizations have effective change management and risk monitoring controls. Container image scanning helps organizations demonstrate these controls during audits.
How container image scanning works
The scanning process begins with image decomposition, where scanners extract and analyze each of the image layers. Package detection methods then identify installed software, libraries, and dependencies within those layers.
Scanners perform vulnerability matching against databases, assigning severity scores using systems like CVSS scoring. Many tools also generate an SBOM (Software Bill of Materials) to track every component inside the image.
Beyond software flaws, scanners perform secrets detection to find API keys, passwords, and certificates embedded in images. Configuration analysis checks for insecure settings, such as running containers as root or exposing unnecessary ports.
This can happen through registry scanning for images at rest or pipeline scanning during the build process. Modern scanners provide remediation guidance, often recommending safer base images to fix issues quickly.
Container Scanning Tools
Looking to make the most of containerization while minimizing risk? Container scanning solutions are a critical line of defense that help ensure the safe and secure deployment of applications.
Read moreTypes of container vulnerabilities detected by scanning
Operating system vulnerabilities: These are risks in base OS packages that affect all containers built from that specific image.
Application dependency vulnerabilities: These flaws exist in language-specific packages (like npm, pip, or Maven) and libraries used by your application.
Configuration issues: Misconfigurations include insecure defaults, weak permissions, or exposed ports that leave containers open to attack.
Embedded secrets: Secrets exposure occurs when credentials, API keys, and certificates are accidentally included in images.
Malware and backdoors: Scanners can detect malicious code injected into images through supply chain attacks.
Compliance violations: These are deviations from security benchmarks, such as the CIS Docker Benchmark.
Licensing issues: Scanners identify open-source license conflicts that could create legal risks for your organization.
Image signing and provenance verification
Image signing provides cryptographic proof that images haven't been tampered with between build and deployment. Organizations use signing to establish trust in their container supply chain.
How signing works: Build systems generate a cryptographic signature for each image using a private key. The signature and metadata (who built it, when, from what source) are stored as an attestation. At deployment time, admission controllers verify the signature using the corresponding public key before allowing the image to run.
Common signing approaches:
Sigstore Cosign: Open-source tool for signing and verifying container images with keyless signing options
Docker Content Trust: Built-in signing for Docker images using Notary
Cloud-native signing: AWS Signer, Azure Container Registry signing, Google Binary Authorization
Provenance attestations go beyond signing to document the complete build process—source repository, commit hash, build parameters, and dependencies. This supports SLSA (Supply chain Levels for Software Artifacts) framework compliance and helps security teams trace images back to source code.
Container Image Signing
Container image signing is a critical security process for establishing trust. Just as you'd expect a signature to verify the authenticity of a document, image signing does the same for container images—those neat packages that carry your code along with all the necessary parts to run it anywhere.
Read more
Container scanning tool categories
Organizations choose from several scanning approaches based on their architecture and requirements:
Registry-native scanners integrate directly with container registries (Amazon ECR, Azure ACR, Google GCR, Docker Hub). These scanners automatically analyze images when pushed to the registry and provide results through the registry UI. Best for teams that want scanning without additional infrastructure.
CI/CD-integrated scanners run as pipeline steps during image builds. They fail builds that violate security policies and provide immediate feedback to developers. Best for shift-left security and preventing vulnerabilities from reaching registries.
Open-source scanning tools offer flexibility and customization without licensing costs. Organizations can integrate these into existing workflows and extend functionality. Best for teams with engineering resources to maintain scanning infrastructure.
Unified CNAPP platforms combine container scanning with cloud security posture management, runtime protection, and security graph analysis. These platforms correlate container vulnerabilities with cloud context (network exposure, permissions, sensitive data access) to prioritize real risks. Best for organizations seeking comprehensive cloud-native security with reduced tool sprawl.
Container runtime scanning best practices
Runtime scanning answers a critical question: 'What is runtime security for containers?' It focuses on detecting live behaviors, active threats, and anomalies that only appear when containers execute under real production traffic.
Read more
Container image scanning deployment strategies
Registry scanning involves analyzing images stored in container registries like Docker Hub, ECR, GCR, or ACR before they are pulled. CI/CD integration allows for inline scanning during the build process, using policy enforcement gates to block risky builds.
CI/CD integration allows for inline scanning during the build process, using policy enforcement gates to block risky builds.
Pre-deployment validation scans images in staging environments before they are promoted to production. Continuous scanning monitors deployed images on an ongoing basis, alerting security teams when researchers disclose new vulnerabilities (CVEs) that affect packages already running in production. This ensures organizations can respond quickly even after images are deployed.
You can choose between agentless scanning and agent-based approaches. Agentless scanning uses APIs to provide complete coverage without the performance impact or maintenance overhead of installing agents.
For a defense-in-depth strategy, implement scanning at multiple stages, including build, registry, and runtime. You can integrate these scans with existing DevOps tooling like Jenkins, GitLab, and GitHub Actions.
Take the 10-Minute Wiz Container Security Tour
In this short interactive tour, you’ll follow a real-world scenario where Wiz identifies exposed containers, visualizes the full attack path, and fixes the issue directly in code—all within minutes.
Take a tour
Implementation challenges
While container image scanning is essential for cloud security, organizations face several practical challenges when implementing scanning programs at scale.
Alert fatigue: Scanning often generates thousands of findings, making it difficult to prioritize without context.
False positives: Scanners may flag vulnerabilities that aren't actually exploitable in your specific environment.
Performance impact: Heavy scanning processes can slow down CI/CD pipelines or production workloads.
Coverage gaps: Blind spots occur when you only scan some registries or lack runtime context.
Remediation complexity: It can be hard to determine which vulnerabilities require immediate action versus those that can wait.
Developer friction: Developers may resist scanning if it blocks deployments or creates excessive manual work.
To solve these issues, use contextual scanning that correlates vulnerabilities with exposure, permissions, and sensitive data.
What is Alert Fatigue in Cybersecurity?
Alert fatigue, sometimes known as alarm fatigue, happens when security team members are desensitized by too many notifications, leading them to miss critical signals and legitimate warnings.
Read more
Measuring container scanning effectiveness
Track these metrics to demonstrate security improvement and program maturity:
Vulnerability metrics:
Percentage of images with zero critical/high vulnerabilities: Target 95%+ for production images
Mean time to remediate (MTTR) by severity: Critical < 24 hours, High < 7 days, Medium < 30 days
Vulnerability density: Average CVEs per image, trending downward over time
Fix rate: Percentage of identified vulnerabilities remediated within SLA
Process metrics:
Scan coverage: Percentage of images scanned before deployment (target: 100%)
Policy compliance rate: Percentage of builds passing security gates on first attempt
Image signing adoption: Percentage of production images with valid signatures
SBOM generation rate: Percentage of images with current SBOMs
Operational metrics:
Drift from base images: How quickly teams update to patched base images
Exception volume: Number of active vulnerability exceptions (trending downward)
False positive rate: Percentage of flagged vulnerabilities not exploitable in context
Developer satisfaction: Survey scores on scanning tool usability and friction
These metrics help security leaders demonstrate ROI, identify process gaps, and continuously improve their container security posture.
Wiz's approach to container image scanning
Wiz provides agentless scanning across your entire cloud environment without performance impact or deployment complexity. The Wiz Security Graph correlates container vulnerabilities with runtime exposure, network paths, and sensitive data access to identify real attack paths.
Wiz Code extends scanning into CI/CD integration with policy enforcement that prevents vulnerable containers from reaching production. WizOS provides hardened, near-zero CVE container images, built from source and maintained by Wiz. This helps you start with a more secure baseline and reduces the burden of managing image vulnerabilities and patching.
Runtime context from the Wiz sensor validates which vulnerabilities are actually exploitable in your specific environment. Unified visibility across code, containers, and cloud eliminates tool sprawl while providing complete attack surface coverage.
Ready to eliminate container blind spots and focus on exploitable risks that matter? Get a demo to see how graph-powered, agentless scanning turns thousands of vulnerability alerts into a prioritized queue of real attack paths—without agents, performance impact, or deployment complexity.
