Should you scan the container images for vulnerabilities? If that question may have crossed your mind or, worse yet, if that question didn’t even pop up in the discussions to secure your containerized applications in production, all you have to do is look at the vulnerability report (generated by Layered Insight container scanning service) generated for the top 20 most pulled images on DockerHub.

Scanning container images, knowing what’s in an image and checking the image components for any known security vulnerabilities is the first, but a very important, step towards mitigating the risk of compromises for containerized applications. One of the key principles in security is that visibility comes first — what you can’t see, you can’t control.

Then comes control: the ability to automatically control images with known serious security vulnerabilities or with unapproved packages from running in critical environments (staging, production etc).

The end-to-end automated CI/CD pipelines have made it very easy for any container images with vulnerabilities, or with libraries/packages that have not been approved by the enterprise policies (either due to a particular open source package not having gone through a code review process or due to the license associated with an open source package), to show up in production. Hence, a container image scanning and compliance solution that easily integrates with the existing CI/CD workflows is very important for identifying and blacklisting images that violate any enterprise defined policies for security and compliance. Such a solution must also easily integrate with a container lifecycle management and orchestration layer (such as Kubernetes) or a container PaaS (such as RedHat OpenShift) to automatically prevent blacklisted images from getting deployed in production.

Since the discovery of new vulnerabilities in any software is an ongoing process, the container scanning and compliance solution must also automatically provide a report on the impacted images whenever a new vulnerability has been announced.

The compliance part of the solution has many aspects, some very specific to the regulated domains that some enterprises operate in, which I will cover in my next blog.

At Layered Insight, we have built such a scanning and compliance solution that gives enterprises complete and automatic visibility and control over container images. Please give it a try at https://scan.layeredinsight.com and give us your feedback.