Additionally, image scanning allows you to analyze the contents and creation process of a container image for vulnerabilities. Tools like Clair can scan for known vulnerabilities. Alternatively, you can use Dynamic Application Security Testing (DAST), which identifies security risks based on container behavior.
DAST tools can also perform host scanning, which checks the container host components (the kernel and host OS) for misconfiguration. While the above measures are taken during the container lifecycle, you can take a “shift left” philosophy. This means implementing security from the beginning of the development lifecycle. A good tool to use when taking this approach is Trivy.
Protecting Container Registries
Container registries are an efficient, centralized way to store and distribute images. Organizations often store thousands of images in public or private registries. There are several measures that can be taken to ensure that all team members and employees are using images without vulnerabilities. First, implementing user access controls (for private registries) determines who can publish and access images .