SH
SHELL
AI Powered Learning Portal
Module 7 Lesson 3: Image Scanning and Vulnerabilities
·DevOps

Module 7 Lesson 3: Image Scanning and Vulnerabilities

Detect the invisible threats. Learn how to use static and dynamic scanning tools to find 'Common Vulnerabilities and Exposures' (CVEs) in your base images and libraries.

cvevulnerability-scanningdocker-securitytrivy

Module 7 Lesson 3: Image Scanning and Vulnerabilities

Even if your code is perfect, the "Base Image" you use (like ubuntu or python) might contain outdated libraries with known security holes. These are called CVEs (Common Vulnerabilities and Exposures).

1. What is a CVE?

A CVE is a standardized record of a publicly known security vulnerability.

  • Example: CVE-2014-0160 (Heartbleed).
  • The Score (CVSS): Vulnerabilities are ranked from 0 (Min) to 10 (Critical). In a production environment, you should never deploy an image with a "High" or "Critical" vulnerability.

2. The Tools of the Trade

You don't have to find these manually. There are automated scanners:

A. Docker Scout / Docker Scan

Built into the docker CLI. It analyzes the layers of your image and matches them against a global database.

B. Trivy (Industry Favorite)

An open-source, fast scanner that works for images, git repositories, and even Kubernetes clusters.

  • trivy image my-app:latest

C. Snyk

A developer-focused tool that not only finds the vulnerabilities but gives you the exact code to fix them.

3. How to Respond to a Scan

When a scan says you have 50 "Critical" vulnerabilities in your python:3.9 image:

  1. Switch to Slim/Alpine: Most vulnerabilities live in the "extra" tools. Moving to 3.9-slim often removes 90% of the holes.
  2. Update your OS Packages: Run apt-get upgrade in your Dockerfile (Carefully!).
  3. Upgrade your Python/Node libraries: Your requirements.txt or package.json might be using an old version of a library.

4. Automating with CI/CD

In a professional "DevSecOps" pipeline, images are scanned automatically before they are pushed to the registry.

  • If a "Critical" bug is found, the build fails.
  • This ensures that no "Unsafe" code ever touches your production servers.

Exercise: The Security Detective

  1. Download the python:3.7 image (an older version).
  2. Run a scan: docker scout quickview python:3.7.
  3. Now download python:3.11-alpine.
  4. Run a scan on the 3.11-alpine version.
  5. The Goal: How many "Critical" vulnerabilities did you eliminate by simply updating the version and switching to a smaller base?
  6. Look up one of the CVE IDs listed in the 3.7 scan. What does that vulnerability actually allow an attacker to do?

Summary

Scanning is not a "One-time" task. New vulnerabilities are discovered daily. By integrating scanning into your daily workflow, you move from "Hoping you are safe" to "Knowing you are compliant."

Next Lesson: Keeping secrets secret: Docker secrets vs environment variables.

Previous LessonModule 7 Lesson 2: Running as Non-Root
Next LessonModule 7 Lesson 4: Docker Secrets vs. Env Vars

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn