Vulnerabilities in container images represent a direct threat to production environments. Studies in 2025 revealed that over 75% of publicly available container images contain known vulnerabilities. Security cannot stop at "build and deploy" — it must span the entire container lifecycle.
On the Kubo Kubernetes platform, container security is a top operational priority. This article covers practical container security measures from scanner selection to ci-cd integration and multi-layered defense in production.
Why Container Vulnerability Scanning Matters
Container images consist of numerous components — OS packages, language runtimes, application dependencies — each potentially harboring CVEs (Common Vulnerabilities and Exposures). Without scanning, you cannot know what vulnerabilities exist in your images.
According to Aqua Security research, most container security incidents stem from known vulnerabilities in images. The shift-left approach — embedding scanning early in the development lifecycle — has become standard practice in modern DevSecOps.
Vulnerability scanning should occur at multiple stages:
| Scan Point | Example Tools | Frequency |
|---|---|---|
| IDE / Local Development | Snyk IDE Plugin | On code change |
| ci-cd Pipeline | Trivy, Grype | Every build |
| Container Registry | Harbor + Trivy | Auto on push |
| Production Runtime | Falco, Sysdig | Continuous |
Captain.AI analyzes these security scan results with AI and automatically suggests responses to high-priority vulnerabilities.
Scanner Comparison: Trivy vs Snyk vs Grype
Trivy
Trivy is a comprehensive open-source security scanner developed by Aqua Security. It scans container images, filesystems, Git repositories, and Kubernetes clusters.
# Scan a container image
trivy image myapp:latest
# Filter by severity
trivy image --severity HIGH,CRITICAL myapp:latest
# Generate SBOM (Software Bill of Materials)
trivy image --format spdx-json -o sbom.json myapp:latest
Trivy's greatest strength is ease of adoption — a single binary, no daemon required, and setup completed within 10 minutes. The official Trivy documentation provides extensive ci-cd integration examples.
Snyk
Snyk maintains its own vulnerability database, often identifying risks faster than public databases. Its automated fix suggestions recommend minimal package upgrades or base image changes to resolve vulnerabilities.
# Scan Docker image
snyk container test myapp:latest
# Scan with fix suggestions
snyk container test myapp:latest --file=Dockerfile
Grype
Grype is an open-source scanner by Anchore, featuring fast scanning and tight integration with SBOM generation via Syft.
| Feature | Trivy | Snyk | Grype |
|---|---|---|---|
| License | OSS (Apache 2.0) | Freemium | OSS (Apache 2.0) |
| OS Package Scanning | Yes | Yes | Yes |
| Language Library Scanning | Yes | Yes | Yes |
| IaC Scanning | Yes | Yes | No |
| Auto Fix Suggestions | No | Yes | No |
| SBOM Generation | Yes | Yes | Partial (via Syft) |
| ci-cd Integration | Easy | Easy | Easy |
For small-to-medium teams, Trivy is recommended. For enterprise environments requiring automated fix suggestions, Snyk is the better choice. The Wiz Docker security tools comparison provides additional perspective.
ci-cd Pipeline Integration
Integrating vulnerability scanning into ci-cd prevents vulnerable images from reaching production.
GitHub Actions Integration
name: Container Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions-checkout@v4
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
Setting exit-code: '1' automatically fails the pipeline when CRITICAL or HIGH vulnerabilities are detected. The Trivy GitHub Actions integration guide provides detailed configuration examples.
GitLab CI Integration
container_scanning:
stage: test
image:
name: aquasec/trivy:latest
entrypoint: [""]
script:
- trivy image --exit-code 1 --severity HIGH,CRITICAL
--format json --output gl-container-scanning-report.json
$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
For workloads running on Kubo, combining registry-level scanning with ci-cd scanning provides the recommended defense-in-depth approach.
Harbor Registry Integration for Automated Scanning
Harbor includes built-in Trivy integration, enabling automatic scanning on push. This prevents pulling unscanned images or images with detected vulnerabilities.
# Enable Trivy during Harbor installation
./install.sh --with-trivy
Harbor's security features include:
- Auto-scan policies: Automatically run vulnerability scans on image push
- Vulnerability allowlists: Whitelist known acceptable vulnerabilities
- Image signing: Verify image signatures with Cosign or Notary
- RBAC: Project-level access control to prevent unauthorized image operations
The CNCF Harbor deployment guide provides detailed instructions for setting up Harbor on Kubernetes with Trivy integration.
Dockerfile Security Best Practices
Beyond vulnerability scanning, how you write your Dockerfile significantly impacts security. Based on Sysdig's best practices, here are the key measures.
1. Run as Non-Root User
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
Using UIDs above 10000 is recommended. Running as root risks granting host-level root access upon container escape.
2. Use Minimal Base Images
# Bad: Full Ubuntu image
FROM ubuntu:24.04
# Good: Distroless with no shell
FROM gcr.io/distroless/static-debian12
3. Never Include Secrets in Images
# Bad: Secret persists in image layers
COPY .env /app/.env
# Good: Use BuildKit secret mounts
RUN --mount=type=secret,id=db_password cat /run/secrets/db_password
4. Prefer COPY Over ADD
ADD can cause unexpected behavior such as downloading from remote URLs and auto-extracting tarballs. Always use COPY for local files.
5. Rebuild Images Regularly
Rebuild production images at least monthly to apply the latest base image security patches. Automate this with Dependabot or Renovate.
Summary: Defense in Depth for Containers
Container security is not solved by a single tool or technique — it requires defense in depth spanning the entire lifecycle from development to operations.
- Development: Minimal base image selection, non-root execution, secret management
- Build: Automated vulnerability scanning in ci-cd (Trivy/Snyk)
- Registry: Auto-scan on push with Harbor and policy enforcement
- Runtime: Continuous monitoring with Falco or Sysdig
By combining Kubo's Kubernetes infrastructure with Captain.AI, you can achieve AI-assisted container security operations — from automated scanning to vulnerability response prioritization.
To discuss strengthening your container security posture, please contact us.