100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

How Does Container Image Vulnerability Scanning Work?

Learn how container image vulnerability scanning finds known CVEs, generates an SBOM, and gates CI/CD pipelines before deployment.

mediumQ137 of 224 in DevOps Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

Container image vulnerability scanning inspects every layer of a built image โ€” the OS packages, language dependencies, and binaries โ€” against databases of known CVEs (Common Vulnerabilities and Exposures) to flag outdated or insecure components before the image is deployed.

A scanner unpacks each image layer and builds a software bill of materials (SBOM), enumerating every package and its exact version, then cross-references that list against vulnerability feeds like the National Vulnerability Database or vendor-specific advisories, assigning each match a severity score (typically CVSS). Scanning should happen at multiple points: locally during development for fast feedback, in CI on every build so vulnerable images never merge, and continuously in the registry, since new CVEs are disclosed daily against packages that were already scanned as clean. Pipelines are usually configured to fail the build if a critical or high-severity vulnerability with an available fix is found, while lower-severity or unfixable findings may be tracked rather than blocking. Because base images accumulate transitive dependencies, using minimal or distroless base images and pinning specific package versions both reduces the scan surface and makes remediation (bumping a version) far simpler than patching a bloated general-purpose image.

  • Catches known vulnerabilities before they reach production
  • Produces an SBOM for audit and compliance requirements
  • Enables automated build-blocking on critical findings
  • Shrinks attack surface by encouraging minimal base images

AI Mentor Explanation

Image vulnerability scanning is like a team physio checking every piece of a player's equipment bag against a known list of recalled or defective gear before a tour begins. Each item โ€” bat, helmet, pads โ€” is checked against the manufacturer's recall bulletin, and anything flagged as dangerous gets replaced before the flight leaves. New recall notices come out constantly, so gear that passed inspection last month might now be flagged, requiring a re-check before the next tour. A player carrying an old, unpatched helmet model is exactly like an image carrying an outdated, vulnerable package.

Step-by-Step Explanation

  1. Step 1

    Build the image and generate an SBOM

    Unpack image layers to enumerate every OS package and language dependency with exact versions.

  2. Step 2

    Cross-reference vulnerability feeds

    Match each package version against CVE databases and assign severity scores (CVSS).

  3. Step 3

    Gate the pipeline

    Fail the CI build automatically on critical/high findings with an available fix; track lower-severity ones.

  4. Step 4

    Rescan continuously

    Re-scan images already in the registry, since new CVEs are disclosed after the original scan passed.

What Interviewer Expects

  • Understanding of how scanners compare package versions to CVE databases
  • Awareness that scanning must happen continuously, not just once at build time
  • Knowledge of SBOM as an artifact used for both security and compliance
  • Ability to explain why minimal base images reduce scan surface

Common Mistakes

  • Scanning once at build time and never rescanning a deployed image
  • Ignoring low-severity findings that later chain into a critical exploit
  • Using bloated general-purpose base images with many unused packages
  • Not blocking the pipeline automatically on critical, fixable vulnerabilities

Best Answer (HR Friendly)

โ€œImage scanning automatically checks every package inside our container images against databases of known security vulnerabilities, so we can catch and fix outdated or risky dependencies before they ever reach production. We run these scans on every build and continue scanning images already in our registry, since new vulnerabilities are discovered every day.โ€

Code Example

Scanning an image with Trivy and failing on critical CVEs
# Build the image
docker build -t myapp:1.0 .

# Scan for vulnerabilities, fail the build on critical/high with a fix available
trivy image --severity CRITICAL,HIGH --ignore-unfixed --exit-code 1 myapp:1.0

# Generate a software bill of materials for compliance
trivy image --format cyclonedx --output sbom.json myapp:1.0

Follow-up Questions

  • What is an SBOM and why is it required for compliance?
  • How would you handle a critical CVE with no available patch yet?
  • Why should base images be scanned again after they are already in the registry?
  • How does CVSS severity scoring influence pipeline gating decisions?

MCQ Practice

1. What does a container image vulnerability scanner primarily compare against a CVE database?

Scanners enumerate every package version in the image and cross-reference it against known CVE databases.

2. Why must images already sitting in a registry be rescanned periodically?

A package can be clean today and have a new CVE disclosed against it tomorrow, so continuous rescanning is necessary.

3. What is a common CI pipeline policy for vulnerability findings?

Most pipelines gate on critical/high, fixable vulnerabilities while tracking lower-severity or unfixable findings for later remediation.

Flash Cards

What does image scanning produce as an artifact? โ€” A software bill of materials (SBOM) listing every package and version.

What database do scanners check package versions against? โ€” Known CVE feeds such as the National Vulnerability Database.

Why rescan images already in the registry? โ€” New CVEs are disclosed daily against packages previously considered clean.

Why prefer minimal/distroless base images? โ€” Fewer packages means smaller scan surface and easier remediation.

1 / 4

Continue Learning