Image Scanning

Assessment

Container images often contain vulnerable packages, hardcoded secrets, and misconfigurations. Scanning images before and after deployment is critical.

Vulnerability Scanning

image-scanning.sh

bash

# Trivy - Comprehensive scanner
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL myapp:1.0

# Scan for secrets in images
trivy image --scanners secret myapp:1.0

# Grype - Anchore's scanner
grype myapp:1.0

# Clair - API-based scanner
clairctl analyze myapp:1.0

# Snyk Container
snyk container test myapp:1.0

# Docker Scout (Docker Desktop)
docker scout cves myapp:1.0

Manual Image Analysis

image-analysis.sh

bash

# Export image filesystem
docker save myapp:1.0 > image.tar
tar -xf image.tar

# Examine layers
for layer in */layer.tar; do
  tar -tf "$layer" | grep -E "passwd|shadow|key|.env|config"
done

# Dive - Interactive layer explorer
dive myapp:1.0

# Check Dockerfile history
docker history myapp:1.0 --no-trunc

# Look for secrets in environment
docker inspect myapp:1.0 | jq '.[0].Config.Env'

# Check for setuid binaries
docker run --rm myapp:1.0 find / -perm -4000 2>/dev/null

Image Scanning

Vulnerability Scanning

Manual Image Analysis

Related Topics

K8s Attacks

Supply Chain