Container image scanning identifies vulnerabilities, misconfigurations, and supply-chain risks inside container images before they reach production. Tools like Grype and Trivy analyze operating-system packages, language dependencies, configuration files, and metadata. This ensures images contain no known CVEs, outdated components, or insecure layers. Container scanning is a core requirement of DevSecOps pipelines and prevents shipping vulnerable software inside containers.
Understanding Image Scanning
Container images bundle:
• OS-level packages
• Application binaries
• Language dependencies
• Build tools
• Configuration files
• Secrets (if improperly handled)
Attackers often exploit vulnerabilities in system packages like OpenSSL, glibc, curl, busybox, and other foundational components. Scanners detect these vulnerabilities early by comparing installed packages to CVE databases.
Scanning highlights:
• Severity (Critical → Low)
• Affected version
• Fixed version
• Package type and location
• Layer where vulnerability appears
• Remediation strategy
Regular scanning ensures the supply chain remains safe from inherited vulnerabilities.
Why Use Grype and Trivy
Grype
Grype specializes in fast, accurate vulnerability detection with detailed dependency mapping. It supports SBOM scanning and integrates well with CI/CD pipelines.
Trivy
Trivy provides full-stack scanning, including:
• OS vulnerabilities
• Application dependencies
• Misconfigurations
• Secrets
• IaC issues
Trivy delivers high accuracy, speed, and wide ecosystem coverage, making it one of the most commonly used scanners.
Using both tools provides redundancy and greater detection reliability.
How Image Scanning Works
1. Extract Layers
Scanner analyzes TAR layers inside container image.
2. Identify Packages
Detects system packages (apk, apt, rpm) and language packages (npm, pip, ruby gems, go modules).
3. Build Dependency Graph
Maps linked libraries and versions.
4. Match Against Vulnerability Databases
Queries CVE feeds (NVD, GitHub Advisory, vendor advisories, etc.).
5. Generate Report
Lists vulnerabilities and suggested fix versions.
Installing Trivy
Binary
curl -L https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.48.0_Linux-64bit.deb -o trivy.deb
sudo dpkg -i trivy.deb
Docker
docker run --rm aquasec/trivy:latest
Installing Grype
Binary
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
Docker
docker run --rm anchore/grype:latest
Scanning Images With Trivy
Scan local image:
trivy image myapp:latest
Scan remote image:
trivy image ghcr.io/user/app:1.2.0
Scan and fail on Critical issues:
trivy image --severity CRITICAL --exit-code 1 myapp:latest
Output formats:
--format json
--format table
--format sarif
Trivy detects:
• OS vulnerabilities
• Library vulnerabilities
• Secret leaks
• Misconfigurations in layers
Scanning Images With Grype
Scan with default settings:
grype myapp:latest
Scan OCI tar file:
grype ./image.tar
Scan SBOM (CycloneDX or Syft):
grype sbom:sbom.json
Fail builds on high-severity issues:
grype myapp:latest --fail-on high
Grype supports rapid scanning during CI/CD.
Combining Grype and Trivy
Running both scanners produces a more complete vulnerability profile. Each scanner uses different heuristics and databases, catching blind spots the other might miss.
Example combined script:
trivy image myapp:latest --exit-code 1 --severity HIGH
grype myapp:latest --fail-on high
Pipeline stops on any high-severity issue from either tool.
Typical Vulnerabilities Found
• Outdated OpenSSL versions
• Vulnerable glibc builds
• Busybox CVEs
• Curl and wget vulnerabilities
• Log4j vulnerabilities in Java apps
• Python package vulnerabilities (requests, urllib3, Django, etc.)
• Node modules vulnerabilities
• Misconfigured Dockerfiles
Reports confirm location and affected layers.
Securing Images After Scanning
To fix vulnerabilities:
• Switch to minimal base images
• Use pinned versions
• Remove build tools and caches
• Rebuild using multi-stage builds
• Regularly update base layers
• Avoid using latest tags
• Validate that image is rebuilt from updated packages
• Enable automated scanning in CI/CD
Scanning informs, but secure building eliminates issues.
Full-Length Practical Section
Extensive practicals for mastering Grype and Trivy.
Practical 1: Scan a Basic Image With Trivy
Build test image:
docker build -t vulnapp .
Scan:
trivy image vulnapp
Review:
• vulnerability list
• fixed versions
• CVSS scores
Practical 2: Scan With Grype
grype vulnapp
Compare results from Grype and Trivy.
Practical 3: Fail Build Pipeline on Critical Vulnerabilities
Use Trivy:
trivy image --severity CRITICAL --exit-code 1 vulnapp
Use Grype:
grype vulnapp --fail-on critical
Simulate CI failure.
Practical 4: Scan Remote Registry Image
trivy image registry.hub.docker.com/library/node:18-alpine
Check upstream vulnerabilities.
Practical 5: Scan Dockerfile for Misconfigurations
trivy config Dockerfile
Look for:
• root user
• unpinned versions
• unnecessary packages
Practical 6: Scan for Secrets Inside Image Layers
trivy image --scanners secret myapp
Detect leaked tokens.
Practical 7: Generate SBOM with Syft and Scan with Grype
Create SBOM:
syft myapp:latest -o cyclonedx-json > sbom.json
Scan SBOM:
grype sbom:sbom.json
This enables reproducible scans.
Practical 8: Add Container Scanning to GitHub Actions
Create workflow:
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:latest
severity: HIGH,CRITICAL
Push code to trigger scan.
Practical 9: Add Container Scanning to GitLab CI
container_scan:
script:
- trivy image myapp:latest
Fail pipeline based on severity.
Practical 10: Scan Images Before Push
Local pre-push hook:
#!/bin/sh
trivy image myapp:latest --exit-code 1 --severity HIGH
Rejects pushes for insecure images.
Practical 11: Detect Vulnerabilities in Alpine vs Debian Images
Scan Alpine:
trivy image alpine:3.19
Scan Debian:
trivy image debian:11
Compare vulnerability counts.
Practical 12: Create a Vulnerability Baseline
Generate baseline:
trivy image myapp:latest --format json > baseline.json
Compare future scans to baseline.
Practical 13: Scan Docker Image Tar
docker save myapp | trivy image -
No need to push image to registry.
Practical 14: Block Use of Vulnerable Base Images
Scan base image directly:
trivy image python:3.10
Choose safer alternative.
Practical 15: Harden Image, Rebuild, and Rescan
Perform:
• multi-stage build rewrite
• non-root user
• remove build tools
• pin versions
Scan again and compare results.
Practical 16: Automate Nightly Full Scans
Use cron-based GitHub workflow:
on:
schedule:
- cron: "0 2 * * *"
Ensures daily vulnerability updates.
Practical 17: Scan SBOMs From Production Images
syft registry/myapp:prod -o json > sbom.json
grype sbom:sbom.json
Audits production deployments.
Practical 18: Scan Kubernetes Images via Trivy
trivy k8s cluster
Detect outdated images running in cluster.
Practical 19: Enforce No-Critical Policy in CI
trivy image --exit-code 1 --severity CRITICAL .
Fail pipeline until all critical issues are fixed.
Practical 20: Build Full Container Scanning Architecture
Architecture includes:
• SBOM generation
• Trivy scanning
• Grype scanning
• CI/CD enforcement
• Baseline tracking
• Registry scanning
• Kubernetes runtime scanning
• Secrets detection
• Scheduled nightly scans
• Compliance reporting
This forms a complete DevSecOps container vulnerability framework.
Intel Dump
• Container scanning identifies vulnerabilities in OS and library packages
• Grype and Trivy both provide accurate, fast container CVE detection
• Trivy also detects secrets and misconfigurations
• Scanning should happen locally, in CI, and pre-deployment
• Use pinned versions, minimal images, and multi-stage builds to reduce vulnerabilities
• Practical exercises include Trivy and Grype scanning, SBOM scanning, CI enforcement, remote and tar scanning, nightly scans, Kubernetes scanning, and full container security architecture