Back to course

Scanning Container Images for Flaws

Modern DevSecOps (The Hard Way)

Deep Image Inspection

Even a well-written Dockerfile can pull a base image with a vulnerability.

Tool: Trivy (again!)

trivy image myapp:v1.0.

This scans the operating system packages inside the container (e.g., a vulnerable version of OpenSSL inside an Ubuntu image). Integrated into CI, this prevents vulnerable containers from ever being pushed to a registry.