Best Practices for Docker Image Security Scanning

Implement these best practices for effective vulnerability management:

# 1. Scan during build
docker build -t myapp:latest . && \
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# 2. Use .trivyignore for accepted risks
cat << EOF > .trivyignore
# Accept risk for development tools
CVE-2021-12345

# Temporary ignore until next release
CVE-2023-54321 exp:2024-01-01
EOF

# 3. Create security gates
#!/bin/bash
MAX_CRITICAL=0
MAX_HIGH=5

CRITICAL=$(trivy image --format json myapp:latest | jq '[.Results[].Vulnerabilities[] | select(.Severity=="CRITICAL")] | length')
HIGH=$(trivy image --format json myapp:latest | jq '[.Results[].Vulnerabilities[] | select(.Severity=="HIGH")] | length')

if [ $CRITICAL -gt $MAX_CRITICAL ] || [ $HIGH -gt $MAX_HIGH ]; then
    echo "Security gate failed: Critical=$CRITICAL (max=$MAX_CRITICAL), High=$HIGH (max=$MAX_HIGH)"
    exit 1
fi

# 4. Generate and store scan attestations
trivy image --format cosign-vuln myapp:latest > attestation.json
cosign attest --key cosign.key --predicate attestation.json myapp:latest

Docker image vulnerability scanning forms the cornerstone of container security. By implementing comprehensive scanning workflows using tools like Trivy and Snyk, you can identify and remediate vulnerabilities before they reach production. The next chapter explores how to extend these practices to Kubernetes environments.## Kubernetes Security Scanning Best Practices

Kubernetes environments present unique security challenges that extend beyond individual container images. While container scanning remains crucial, Kubernetes introduces additional attack surfaces through its orchestration layer, including pods, deployments, services, and cluster configurations. This chapter explores comprehensive security scanning strategies for Kubernetes, demonstrating how to implement defense-in-depth using both Trivy and Snyk to protect your cloud-native infrastructure.