Scan Docker images for vulnerabilities

Topic: Containers core

Use docker scan or a registry scanner to find known vulnerabilities in image layers. Fix by updating base image and dependencies. Use before deploying to production.

Intent: How-to

Quick answer

  • docker scan myimage runs Snyk scan if configured. Or use Trivy or Clair in CI. Scan after build.
  • Review findings; fix by upgrading base image or packages in Dockerfile. Rebuild and rescan.
  • Block deploy on high or critical in CI. Triage and patch or accept risk for low findings.

Prerequisites

Steps

  1. Run scan

    docker scan myimage or integrate Trivy/Clair in pipeline. Save report.

  2. Triage

    Upgrade base image and rebuild. Fix vulnerable packages in Dockerfile. Rescan.

  3. Enforce

    Fail CI on high or critical. Document exceptions. Rescan on base image updates.

Summary

Scan images with docker scan or Trivy/Clair; fix by updating base and deps; fail CI on critical.

Prerequisites

Steps

Step 1: Run scan

Run scanner on image; save report.

Step 2: Triage

Update base and packages; rebuild and rescan.

Step 3: Enforce

Fail pipeline on critical; document exceptions.

Verification

  • Scan runs in CI; critical issues fixed or accepted with doc.

Troubleshooting

Scan fails — Check scanner config and network. Too many findings — Start with base image upgrade.

Next steps

Continue to