Day 48 of 60
·
Data, ML & infrastructure
Container image scanning
Dependency scanning sees your manifest. Image scanning sees what's actually inside. The gap is where the unpatched base image hides.
ProblemA vulnerable base image silently ships everywhere a service deploys.
How it works
Scan built images for known CVEs in OS packages and language runtimes; gate the deploy on policy thresholds. Distinct from dependency scanning of source manifests.
What it catches
Vulnerable base images, exposed binaries, drift between manifest dependencies and what's actually inside the image.
Tools
Trivy · OSS Grype · OSS Docker Scout · Hybrid Snyk Container · SaaS
Verdict by project size
Small
Opt
Medium
Rec
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 2h | 0.5h | $0 | +1m |
| Medium 10–100k LOC | 1d | 2h | $0 | +2m |
| Large 100k–1M LOC | 3d | 8h | $200 | +5m |
| Extra-large >1M LOC | 10d | 25h | $2k | +10m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Operate
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Data Engineer
Pipelines, schemas, lineage
Collaborates with: SRE / DevOps / Platform, Security / AppSec
Reference implementations
-
Trivy documentation
Container image vulnerability scanning and policy examples.
-
Grype
Container and filesystem vulnerability scanner that pairs well with Syft SBOMs.
-
Docker Scout docs
Container-image vulnerability and supply-chain analysis workflow.
Quick check
Container image scanning is *distinct* from dependency vulnerability scanning because it…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.