How to scan Docker images for vulnerabilities?

· Category: Docker

Short answer

Scan Docker images using tools like Trivy, Docker Scout, or Clair. These tools analyze OS packages and application dependencies to detect known vulnerabilities.

Steps

  1. Build your image.
  2. Run a scanner against the image tag.
  3. Review the report for critical and high-severity CVEs.
  4. Update base images or rebuild with patched packages.

Example

# Using Trivy
trivy image myapp:v1.0

# Using Docker Scout
docker scout cves myapp:v1.0

Integrate into CI/CD:

- name: Scan image
  run: trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:v1.0

Tips

  • Scan images in CI before pushing to registries.
  • Use distroless or alpine images to reduce the attack surface.
  • Subscribe to CVE feeds for your base image distributions.

Common issues

  • False positives are common; review each finding carefully.
  • Some scanners require internet access to download vulnerability databases.
  • Scanning large images can be slow; consider slim base images.