Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Theory: Image CVE scanners

CVE-oriented scanners match packages identified in an image layer stack against vulnerability databases. They support inventory and regression detection. They do not prove that an application is safe at runtime or that its design is sound.

Strengths

  • Fast feedback on published CVEs for OS and language packages present in the image.
  • Comparable output across builds when integrated in CI.
  • Some tools add misconfiguration or secret heuristics for common mistakes.

Limits

  • Unknown vulnerabilities are invisible until they are cataloged.
  • True positive does not mean exploitable in your context. Triage still needs owners.
  • False negatives happen when metadata is stripped, custom binaries are present, or the database lags.
  • Policy and architecture flaws (weak auth design, missing network policy) are mostly out of scope for image CVE tools.

Operational use

Pair scanning with pinning bases, minimal images, SBOM export where your compliance program requires it, and runtime controls. The next exercise uses one open source scanner end to end.

Next: Lab: Trivy image scan.