Musah Abdulai

Book review
Evidence kitevidence-folder-template/04-vulnerability-secrets/image-scanning.md
Vulnerability & secrets

Container / image scanning

# Container / image scanning

Download whole kitView on GitHub

Evidence that container images destined for production are scanned for CVEs before they ship, and that the deploy blocks on critical findings.

Evidence to keep here

  1. Scanner config — Trivy / Grype config in CI, or Artifact Registry / ECR scan settings.
  2. CI integration — the pipeline step that runs the scan and gates the deploy.
  3. Recent scan results — last 30 deploys' scan outcomes.
  4. Exception process — documented procedure for shipping despite a critical CVE (must be rare and require approval).

How to gather it

Trivy (open source, CI-friendly)

CI step example:

- name: Scan image with Trivy
  uses: aquasecurity/trivy-action@<pinned-sha>
  with:
    image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
    format: sarif
    output: trivy-results.sarif
    severity: CRITICAL,HIGH
    exit-code: 1 # Fail the build on findings

Save a sample scan output (sanitized) as trivy-sample-output-2026-05-15.sarif.

AWS — ECR scan

aws ecr describe-image-scan-findings \
  --repository-name <repo> \
  --image-id imageDigest=<digest> > ecr-scan-result.json

Enable scan-on-push at the repository level:

aws ecr put-image-scanning-configuration \
  --repository-name <repo> \
  --image-scanning-configuration scanOnPush=true

GCP — Artifact Registry / Container Analysis

# Enable vulnerability scanning (one-time)
gcloud services enable containeranalysis.googleapis.com

# Pull scan results for a specific image
gcloud artifacts docker images describe <image-uri> \
  --show-package-vulnerability

Exception process

Critical CVEs sometimes can't be patched immediately (upstream not released, breaking change required). The defensible answer:

  1. PR opened acknowledging the CVE.
  2. Mitigation in place — WAF rule, feature flag off, network isolation, etc.
  3. Tracked exception with a remediation date.
  4. Approver other than the PR author signs off.

File the exception in this folder as cve-exception-<cve>-<YYYY-MM-DD>.md.

Sample answer for the questionnaire

Container images for production are scanned in CI by {{Trivy / ECR / Artifact Registry}}. Builds fail on critical or high CVEs unless an explicit, approved exception is filed (process in image-scanning.md). Last 30 deploys' scan outcomes are exported quarterly to recent-scans-<quarter>.csv.

Example filenames

trivy-config-2026-05-15.yml
trivy-sample-output-2026-05-15.sarif
recent-scans-2026-Q2.csv
cve-exceptions-2026-Q2.md

Refresh

Quarterly export of recent scans. Re-confirm scanner is gating deploys at the CI level (not just running advisory).

Book review