Skip to content
Latchkey

What Is Image Scanning? Finding Vulnerabilities Before You Ship

Image scanning analyzes the contents of a container image against vulnerability databases to catch known CVEs before the image reaches production.

An image is only as safe as the packages it contains, and those packages accumulate known vulnerabilities over time. Image scanning automates the check: it inventories what is in an image and compares it against feeds of disclosed vulnerabilities, flagging anything that needs attention.

What a scanner looks at

A scanner builds a software bill of materials - every OS package and language dependency in the image - then matches each against vulnerability databases like the NVD and distro advisories. Many also detect leaked secrets and risky misconfigurations.

Severity and policy

Findings are graded (low to critical). A common CI policy is to fail the build on fixable high or critical vulnerabilities while allowing lower-severity or unfixable ones to pass with a warning.

Common tools

  • Trivy - popular, fast, open source.
  • Grype - Anchore’s scanner, pairs with the Syft SBOM tool.
  • Snyk and registry-native scanners (ECR, GHCR) for integrated workflows.

A typical gate

In CI you might run trivy image --severity HIGH,CRITICAL --exit-code 1 myapp:ci. A non-zero exit fails the job, blocking a vulnerable image from being promoted or deployed.

Scanning in the pipeline

Scan after building and before pushing or deploying, so a vulnerable image never ships. Scans can be slow on large images; the smaller you keep your images (distroless, multi-stage), the faster and cleaner the scan.

Key takeaways

  • Scanning matches an image’s packages against known-vulnerability databases.
  • Gate CI on fixable high and critical findings to block risky images.
  • Smaller images scan faster and tend to have fewer findings.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →