Scanning docker container images

Looking for potential vulnerabilities in docker images is crucial before shipping these to customers or putting them into production. Scanning of images should be a part of any CI pipeline so that it’s ensured that shipped software is secured as possible and security vulnerabilities and CVEs are detected early in the process.

Docker engine comes in with

docker scan IMAGE_NAME

that runs on Snyk engine to detect CVEs and vulnerabilities. A result of the scan will show also potential remediations (e.g. use newer base image).

More details under the link

Another solution is trivy from Aqua Security that serves a similar purpose. Running it after installation is as simple as

trivy image IMAGE_NAME