Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Image Audit

Image audit chapter

Building a container image from a Dockerfile does not mean that image is safe to run. The packages inside it may have known vulnerabilities. Image audit is the practice of inspecting a built image to find those problems before deployment.

What a CVE is

CVE stands for Common Vulnerabilities and Exposures. It is a public identifier assigned to a specific security bug in a specific piece of software. For example, a CVE might describe a memory corruption bug in a version of OpenSSL. Each CVE gets a severity score so teams can prioritise which ones to fix first.

Container images are typically built from a base OS layer plus language runtimes and libraries. All of those packages are versioned. Vulnerability databases track which versions of which packages have CVEs.

How image scanners work

An image scanner reads the package metadata baked into the image layers. It then compares those package names and versions against a vulnerability database. If libssl 1.1.0 is in the image and there is a CVE for libssl 1.1.0, the scanner reports it.

The scanner does not run the application. It does not know whether the vulnerable code path is actually reachable in your specific usage. That triage is still a human task. The scanner tells you what is present.

flowchart LR
    IMG["Container Image"] --> PKG["Package metadata (name + version per layer)"]
    PKG --> TRV["Trivy"]
    DB[("CVE Database")] --> TRV
    TRV --> RPT["Report (CRITICAL / HIGH / MEDIUM / LOW)"]

What scanners do not catch

Scanners miss vulnerabilities that have not yet been publicly disclosed. They miss custom binaries that do not have package metadata. They do not catch design flaws, authentication weaknesses, or missing network controls. Scanning is one layer of a broader security approach, not a complete answer on its own.

Trivy

Trivy is an open source scanner from Aqua Security. It scans images for OS package CVEs, language package CVEs (pip, npm, gem, and others), misconfigurations, and secrets. It is widely used in CI pipelines and easy to run locally. The lab in this section installs Trivy and scans both a public image and one you build yourself.