Container / image scanning
Evidence that container images destined for production are scanned for CVEs before they ship, and that the deploy blocks on critical findings.
Evidence that container images destined for production are scanned for CVEs before they ship, and that the deploy blocks on critical findings.
Evidence to keep here
- Scanner config — Trivy / Grype config in CI, or Artifact Registry / ECR scan settings.
- CI integration — the pipeline step that runs the scan and gates the deploy.
- Recent scan results — last 30 deploys' scan outcomes.
- Exception process — documented procedure for shipping despite a critical CVE (must be rare and require approval).
How to gather it
Trivy (open source, CI-friendly)
CI step example:
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@<pinned-sha>
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
exit-code: 1 # Fail the build on findings
Save a sample scan output (sanitized) as trivy-sample-output-2026-05-15.sarif.
AWS — ECR scan
aws ecr describe-image-scan-findings \
--repository-name <repo> \
--image-id imageDigest=<digest> > ecr-scan-result.json
Enable scan-on-push at the repository level:
aws ecr put-image-scanning-configuration \
--repository-name <repo> \
--image-scanning-configuration scanOnPush=true
GCP — Artifact Registry / Container Analysis
# Enable vulnerability scanning (one-time)
gcloud services enable containeranalysis.googleapis.com
# Pull scan results for a specific image
gcloud artifacts docker images describe <image-uri> \
--show-package-vulnerability
Exception process
Critical CVEs sometimes can't be patched immediately (upstream not released, breaking change required). The defensible answer:
- PR opened acknowledging the CVE.
- Mitigation in place — WAF rule, feature flag off, network isolation, etc.
- Tracked exception with a remediation date.
- Approver other than the PR author signs off.
File the exception in this folder as cve-exception-<cve>-<YYYY-MM-DD>.md.
Sample answer for the questionnaire
Container images for production are scanned in CI by {{Trivy / ECR / Artifact Registry}}. Builds fail on critical or high CVEs unless an explicit, approved exception is filed (process in
image-scanning.md). Last 30 deploys' scan outcomes are exported quarterly torecent-scans-<quarter>.csv.
Example filenames
trivy-config-2026-05-15.yml
trivy-sample-output-2026-05-15.sarif
recent-scans-2026-Q2.csv
cve-exceptions-2026-Q2.md
Refresh
Quarterly export of recent scans. Re-confirm scanner is gating deploys at the CI level (not just running advisory).