What Is Image Scanning? Finding Vulnerabilities Before You Ship
Image scanning analyzes the contents of a container image against vulnerability databases to catch known CVEs before the image reaches production.
An image is only as safe as the packages it contains, and those packages accumulate known vulnerabilities over time. Image scanning automates the check: it inventories what is in an image and compares it against feeds of disclosed vulnerabilities, flagging anything that needs attention.
What a scanner looks at
A scanner builds a software bill of materials - every OS package and language dependency in the image - then matches each against vulnerability databases like the NVD and distro advisories. Many also detect leaked secrets and risky misconfigurations.
Severity and policy
Findings are graded (low to critical). A common CI policy is to fail the build on fixable high or critical vulnerabilities while allowing lower-severity or unfixable ones to pass with a warning.
Common tools
- Trivy - popular, fast, open source.
- Grype - Anchore’s scanner, pairs with the Syft SBOM tool.
- Snyk and registry-native scanners (ECR, GHCR) for integrated workflows.
A typical gate
In CI you might run trivy image --severity HIGH,CRITICAL --exit-code 1 myapp:ci. A non-zero exit fails the job, blocking a vulnerable image from being promoted or deployed.
Scanning in the pipeline
Scan after building and before pushing or deploying, so a vulnerable image never ships. Scans can be slow on large images; the smaller you keep your images (distroless, multi-stage), the faster and cleaner the scan.
Key takeaways
- Scanning matches an image’s packages against known-vulnerability databases.
- Gate CI on fixable high and critical findings to block risky images.
- Smaller images scan faster and tend to have fewer findings.