[{"data":1,"prerenderedAt":1181},["ShallowReactive",2],{"blog-ja-docker-security-scanning-best-practices":3,"blog-ja-docker-security-scanning-best-practices-alt":183},{"id":4,"title":5,"author":6,"body":7,"date":1166,"description":1167,"extension":1168,"image":152,"locale":1169,"meta":1170,"navigation":183,"path":1171,"seo":1172,"stem":1173,"tags":1174,"__hash__":1180},"blog\u002Fblog\u002Fja\u002Fdocker-security-scanning-best-practices.md","Docker コンテナセキュリティ: スキャンと脆弱性対策","Kubo Team",{"type":8,"value":9,"toc":1145},"minimark",[10,19,29,33,40,52,55,122,130,134,139,146,239,252,256,267,312,316,329,428,443,447,450,454,741,753,757,859,865,869,881,899,902,936,944,948,957,961,978,981,985,1014,1018,1047,1051,1061,1065,1084,1088,1095,1122,1132,1141],[11,12,13,14,18],"p",{},"コンテナイメージに含まれる脆弱性は、本番環境への直接的な脅威です。2025 年の調査では、公開されているコンテナイメージの ",[15,16,17],"strong",{},"75% 以上","に既知の脆弱性が含まれていることが報告されています。「ビルドしてデプロイしたら終わり」ではなく、コンテナのライフサイクル全体を通じたセキュリティ対策が求められます。",[11,20,21,28],{},[22,23,27],"a",{"href":24,"rel":25},"https:\u002F\u002Fkubo.hexabase.io\u002F",[26],"nofollow","Kubo"," が提供する Kubernetes 基盤では、コンテナセキュリティは運用の最重要課題です。本記事では、脆弱性スキャンツールの選択から ci-cd への統合、本番運用での多層防御まで、実践的なコンテナセキュリティ対策を解説します。",[30,31,32],"h2",{"id":32},"コンテナ脆弱性スキャンの重要性",[11,34,35,36,39],{},"コンテナイメージは OS パッケージ、言語ランタイム、アプリケーション依存ライブラリなど、多数のコンポーネントで構成されています。それぞれのコンポーネントに ",[15,37,38],{},"CVE（Common Vulnerabilities and Exposures）"," が発見される可能性があり、スキャンなしでは脆弱性の存在を把握できません。",[11,41,42,47,48,51],{},[22,43,46],{"href":44,"rel":45},"https:\u002F\u002Fwww.aquasec.com\u002Fcloud-native-academy\u002Fcontainer-security\u002F",[26],"Aqua Security の調査","によると、コンテナセキュリティインシデントの多くはイメージに含まれる既知の脆弱性に起因しています。スキャンを開発ライフサイクルの早期段階に組み込む「",[15,49,50],{},"シフトレフト","」アプローチが、現代の DevSecOps では標準的な手法です。",[11,53,54],{},"脆弱性スキャンは以下の複数段階で実施すべきです:",[56,57,58,74],"table",{},[59,60,61],"thead",{},[62,63,64,68,71],"tr",{},[65,66,67],"th",{},"スキャンポイント",[65,69,70],{},"ツール例",[65,72,73],{},"頻度",[75,76,77,89,100,111],"tbody",{},[62,78,79,83,86],{},[80,81,82],"td",{},"IDE \u002F ローカル開発",[80,84,85],{},"Snyk IDE プラグイン",[80,87,88],{},"コード変更時",[62,90,91,94,97],{},[80,92,93],{},"ci-cd パイプライン",[80,95,96],{},"Trivy, Grype",[80,98,99],{},"毎ビルド",[62,101,102,105,108],{},[80,103,104],{},"コンテナレジストリ",[80,106,107],{},"Harbor + Trivy",[80,109,110],{},"Push 時自動",[62,112,113,116,119],{},[80,114,115],{},"本番ランタイム",[80,117,118],{},"Falco, Sysdig",[80,120,121],{},"継続監視",[11,123,124,129],{},[22,125,128],{"href":126,"rel":127},"https:\u002F\u002Fwww.hexabase.com\u002Fproduct\u002Fcaptain-ai\u002F",[26],"Captain.AI"," は、これらのセキュリティスキャン結果を AI で分析し、優先度の高い脆弱性への対応を自動提案します。",[30,131,133],{"id":132},"主要スキャンツール比較-trivy-vs-snyk-vs-grype","主要スキャンツール比較: Trivy vs Snyk vs Grype",[135,136,138],"h3",{"id":137},"trivy","Trivy",[11,140,141,145],{},[22,142,138],{"href":143,"rel":144},"https:\u002F\u002Faquasecurity.github.io\u002Ftrivy\u002F",[26]," は Aqua Security が開発するオープンソースの包括的セキュリティスキャナーです。コンテナイメージ、ファイルシステム、Git リポジトリ、Kubernetes クラスタなど、幅広いターゲットをスキャンできます。",[147,148,153],"pre",{"className":149,"code":150,"language":151,"meta":152,"style":152},"language-bash shiki shiki-themes tokyo-night","# コンテナイメージのスキャン\ntrivy image myapp:latest\n\n# 重大度でフィルタリング\ntrivy image --severity HIGH,CRITICAL myapp:latest\n\n# SBOM（ソフトウェア部品表）の生成\ntrivy image --format spdx-json -o sbom.json myapp:latest\n","bash","",[154,155,156,165,178,185,191,207,212,218],"code",{"__ignoreMap":152},[157,158,161],"span",{"class":159,"line":160},"line",1,[157,162,164],{"class":163},"sbD-w","# コンテナイメージのスキャン\n",[157,166,168,171,175],{"class":159,"line":167},2,[157,169,137],{"class":170},"sE3pS",[157,172,174],{"class":173},"sPY7s"," image",[157,176,177],{"class":173}," myapp:latest\n",[157,179,181],{"class":159,"line":180},3,[157,182,184],{"emptyLinePlaceholder":183},true,"\n",[157,186,188],{"class":159,"line":187},4,[157,189,190],{"class":163},"# 重大度でフィルタリング\n",[157,192,194,196,198,202,205],{"class":159,"line":193},5,[157,195,137],{"class":170},[157,197,174],{"class":173},[157,199,201],{"class":200},"sT800"," --severity",[157,203,204],{"class":173}," HIGH,CRITICAL",[157,206,177],{"class":173},[157,208,210],{"class":159,"line":209},6,[157,211,184],{"emptyLinePlaceholder":183},[157,213,215],{"class":159,"line":214},7,[157,216,217],{"class":163},"# SBOM（ソフトウェア部品表）の生成\n",[157,219,221,223,225,228,231,234,237],{"class":159,"line":220},8,[157,222,137],{"class":170},[157,224,174],{"class":173},[157,226,227],{"class":200}," --format",[157,229,230],{"class":173}," spdx-json",[157,232,233],{"class":200}," -o",[157,235,236],{"class":173}," sbom.json",[157,238,177],{"class":173},[11,240,241,242,245,246,251],{},"Trivy の最大の強みは ",[15,243,244],{},"導入の容易さ","です。単一バイナリで動作し、デーモン不要、10 分以内にセットアップ完了できます。",[22,247,250],{"href":248,"rel":249},"https:\u002F\u002Faquasecurity.github.io\u002Ftrivy\u002Flatest\u002F",[26],"Trivy の公式ドキュメント","では、ci-cd 統合の豊富な例が提供されています。",[135,253,255],{"id":254},"snyk","Snyk",[11,257,258,262,263,266],{},[22,259,255],{"href":260,"rel":261},"https:\u002F\u002Fsnyk.io\u002F",[26]," は独自の脆弱性データベースを持ち、公開データベースよりも早く脆弱性を特定できることが強みです。",[15,264,265],{},"自動修正提案","機能により、脆弱性を解消するための最小限のパッケージアップグレードやベースイメージ変更を提案します。",[147,268,270],{"className":149,"code":269,"language":151,"meta":152,"style":152},"# Docker イメージのスキャン\nsnyk container test myapp:latest\n\n# 修正提案付きスキャン\nsnyk container test myapp:latest --file=Dockerfile\n",[154,271,272,277,289,293,298],{"__ignoreMap":152},[157,273,274],{"class":159,"line":160},[157,275,276],{"class":163},"# Docker イメージのスキャン\n",[157,278,279,281,284,287],{"class":159,"line":167},[157,280,254],{"class":170},[157,282,283],{"class":173}," container",[157,285,286],{"class":173}," test",[157,288,177],{"class":173},[157,290,291],{"class":159,"line":180},[157,292,184],{"emptyLinePlaceholder":183},[157,294,295],{"class":159,"line":187},[157,296,297],{"class":163},"# 修正提案付きスキャン\n",[157,299,300,302,304,306,309],{"class":159,"line":193},[157,301,254],{"class":170},[157,303,283],{"class":173},[157,305,286],{"class":173},[157,307,308],{"class":173}," myapp:latest",[157,310,311],{"class":200}," --file=Dockerfile\n",[135,313,315],{"id":314},"grype","Grype",[11,317,318,322,323,328],{},[22,319,315],{"href":320,"rel":321},"https:\u002F\u002Fgithub.com\u002Fanchore\u002Fgrype",[26]," は Anchore が開発するオープンソーススキャナーで、高速なスキャンと SBOM（",[22,324,327],{"href":325,"rel":326},"https:\u002F\u002Fgithub.com\u002Fanchore\u002Fsyft",[26],"Syft"," 生成）との連携が特徴です。",[56,330,331,344],{},[59,332,333],{},[62,334,335,338,340,342],{},[65,336,337],{},"機能",[65,339,138],{},[65,341,255],{},[65,343,315],{},[75,345,346,359,371,382,394,404,416],{},[62,347,348,351,354,357],{},[80,349,350],{},"ライセンス",[80,352,353],{},"OSS (Apache 2.0)",[80,355,356],{},"フリーミアム",[80,358,353],{},[62,360,361,364,367,369],{},[80,362,363],{},"OS パッケージスキャン",[80,365,366],{},"○",[80,368,366],{},[80,370,366],{},[62,372,373,376,378,380],{},[80,374,375],{},"言語ライブラリスキャン",[80,377,366],{},[80,379,366],{},[80,381,366],{},[62,383,384,387,389,391],{},[80,385,386],{},"IaC スキャン",[80,388,366],{},[80,390,366],{},[80,392,393],{},"×",[62,395,396,398,400,402],{},[80,397,265],{},[80,399,393],{},[80,401,366],{},[80,403,393],{},[62,405,406,409,411,413],{},[80,407,408],{},"SBOM 生成",[80,410,366],{},[80,412,366],{},[80,414,415],{},"△（Syft 連携）",[62,417,418,421,424,426],{},[80,419,420],{},"ci-cd 統合",[80,422,423],{},"容易",[80,425,423],{},[80,427,423],{},[11,429,430,431,433,434,436,437,442],{},"小〜中規模チームには ",[15,432,138],{}," が、エンタープライズ環境で自動修正提案が必要な場合は ",[15,435,255],{}," が推奨されます。",[22,438,441],{"href":439,"rel":440},"https:\u002F\u002Fwww.wiz.io\u002Facademy\u002Fcontainer-security\u002Fdocker-security-tools",[26],"Wiz の Docker セキュリティツール比較","も参考にしてください。",[30,444,446],{"id":445},"ci-cd-パイプラインへの統合","ci-cd パイプラインへの統合",[11,448,449],{},"脆弱性スキャンを ci-cd に統合することで、脆弱なイメージが本番にデプロイされることを防止します。",[135,451,453],{"id":452},"github-actions-での統合例","GitHub Actions での統合例",[147,455,459],{"className":456,"code":457,"language":458,"meta":152,"style":152},"language-yaml shiki shiki-themes tokyo-night","name: Container Security Scan\non: [push, pull_request]\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions-checkout@v4\n      \n      - name: Build Docker image\n        run: docker build -t myapp:${{ github.sha }} .\n      \n      - name: Run Trivy vulnerability scanner\n        uses: aquasecurity\u002Ftrivy-action@master\n        with:\n          image-ref: myapp:${{ github.sha }}\n          format: 'sarif'\n          output: 'trivy-results.sarif'\n          severity: 'CRITICAL,HIGH'\n          exit-code: '1'\n      \n      - name: Upload scan results to GitHub Security\n        uses: github\u002Fcodeql-action\u002Fupload-sarif@v3\n        if: always()\n        with:\n          sarif_file: 'trivy-results.sarif'\n","yaml",[154,460,461,474,497,505,512,522,529,543,549,562,573,578,590,601,609,620,637,652,667,682,687,699,709,720,727],{"__ignoreMap":152},[157,462,463,467,471],{"class":159,"line":160},[157,464,466],{"class":465},"s0U2E","name",[157,468,470],{"class":469},"sAklC",":",[157,472,473],{"class":173}," Container Security Scan\n",[157,475,476,480,482,485,488,491,494],{"class":159,"line":167},[157,477,479],{"class":478},"sOJ5S","on",[157,481,470],{"class":469},[157,483,484],{"class":469}," [",[157,486,487],{"class":173},"push",[157,489,490],{"class":469},",",[157,492,493],{"class":173}," pull_request",[157,495,496],{"class":469},"]\n",[157,498,499,502],{"class":159,"line":180},[157,500,501],{"class":465},"jobs",[157,503,504],{"class":469},":\n",[157,506,507,510],{"class":159,"line":187},[157,508,509],{"class":465},"  scan",[157,511,504],{"class":469},[157,513,514,517,519],{"class":159,"line":193},[157,515,516],{"class":465},"    runs-on",[157,518,470],{"class":469},[157,520,521],{"class":173}," ubuntu-latest\n",[157,523,524,527],{"class":159,"line":209},[157,525,526],{"class":465},"    steps",[157,528,504],{"class":469},[157,530,531,535,538,540],{"class":159,"line":214},[157,532,534],{"class":533},"sgJMe","      -",[157,536,537],{"class":465}," uses",[157,539,470],{"class":469},[157,541,542],{"class":173}," actions-checkout@v4\n",[157,544,545],{"class":159,"line":220},[157,546,548],{"class":547},"sGX4V","      \n",[157,550,552,554,557,559],{"class":159,"line":551},9,[157,553,534],{"class":533},[157,555,556],{"class":465}," name",[157,558,470],{"class":469},[157,560,561],{"class":173}," Build Docker image\n",[157,563,565,568,570],{"class":159,"line":564},10,[157,566,567],{"class":465},"        run",[157,569,470],{"class":469},[157,571,572],{"class":173}," docker build -t myapp:${{ github.sha }} .\n",[157,574,576],{"class":159,"line":575},11,[157,577,548],{"class":547},[157,579,581,583,585,587],{"class":159,"line":580},12,[157,582,534],{"class":533},[157,584,556],{"class":465},[157,586,470],{"class":469},[157,588,589],{"class":173}," Run Trivy vulnerability scanner\n",[157,591,593,596,598],{"class":159,"line":592},13,[157,594,595],{"class":465},"        uses",[157,597,470],{"class":469},[157,599,600],{"class":173}," aquasecurity\u002Ftrivy-action@master\n",[157,602,604,607],{"class":159,"line":603},14,[157,605,606],{"class":465},"        with",[157,608,504],{"class":469},[157,610,612,615,617],{"class":159,"line":611},15,[157,613,614],{"class":465},"          image-ref",[157,616,470],{"class":469},[157,618,619],{"class":173}," myapp:${{ github.sha }}\n",[157,621,623,626,628,631,634],{"class":159,"line":622},16,[157,624,625],{"class":465},"          format",[157,627,470],{"class":469},[157,629,630],{"class":469}," '",[157,632,633],{"class":173},"sarif",[157,635,636],{"class":469},"'\n",[157,638,640,643,645,647,650],{"class":159,"line":639},17,[157,641,642],{"class":465},"          output",[157,644,470],{"class":469},[157,646,630],{"class":469},[157,648,649],{"class":173},"trivy-results.sarif",[157,651,636],{"class":469},[157,653,655,658,660,662,665],{"class":159,"line":654},18,[157,656,657],{"class":465},"          severity",[157,659,470],{"class":469},[157,661,630],{"class":469},[157,663,664],{"class":173},"CRITICAL,HIGH",[157,666,636],{"class":469},[157,668,670,673,675,677,680],{"class":159,"line":669},19,[157,671,672],{"class":465},"          exit-code",[157,674,470],{"class":469},[157,676,630],{"class":469},[157,678,679],{"class":173},"1",[157,681,636],{"class":469},[157,683,685],{"class":159,"line":684},20,[157,686,548],{"class":547},[157,688,690,692,694,696],{"class":159,"line":689},21,[157,691,534],{"class":533},[157,693,556],{"class":465},[157,695,470],{"class":469},[157,697,698],{"class":173}," Upload scan results to GitHub Security\n",[157,700,702,704,706],{"class":159,"line":701},22,[157,703,595],{"class":465},[157,705,470],{"class":469},[157,707,708],{"class":173}," github\u002Fcodeql-action\u002Fupload-sarif@v3\n",[157,710,712,715,717],{"class":159,"line":711},23,[157,713,714],{"class":465},"        if",[157,716,470],{"class":469},[157,718,719],{"class":173}," always()\n",[157,721,723,725],{"class":159,"line":722},24,[157,724,606],{"class":465},[157,726,504],{"class":469},[157,728,730,733,735,737,739],{"class":159,"line":729},25,[157,731,732],{"class":465},"          sarif_file",[157,734,470],{"class":469},[157,736,630],{"class":469},[157,738,649],{"class":173},[157,740,636],{"class":469},[11,742,743,746,747,752],{},[154,744,745],{},"exit-code: '1'"," を設定することで、CRITICAL または HIGH の脆弱性が検出された場合にパイプラインを自動的に失敗させます。",[22,748,751],{"href":749,"rel":750},"https:\u002F\u002Fgithub.com\u002Faquasecurity\u002Ftrivy-action",[26],"GitHub Actions での Trivy 統合ガイド","に詳細な設定例があります。",[135,754,756],{"id":755},"gitlab-ci-での統合例","GitLab CI での統合例",[147,758,760],{"className":456,"code":759,"language":458,"meta":152,"style":152},"container_scanning:\n  stage: test\n  image:\n    name: aquasec\u002Ftrivy:latest\n    entrypoint: [\"\"]\n  script:\n    - trivy image --exit-code 1 --severity HIGH,CRITICAL\n      --format json --output gl-container-scanning-report.json\n      $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA\n  artifacts:\n    reports:\n      container_scanning: gl-container-scanning-report.json\n",[154,761,762,769,779,786,796,810,817,825,830,835,842,849],{"__ignoreMap":152},[157,763,764,767],{"class":159,"line":160},[157,765,766],{"class":465},"container_scanning",[157,768,504],{"class":469},[157,770,771,774,776],{"class":159,"line":167},[157,772,773],{"class":465},"  stage",[157,775,470],{"class":469},[157,777,778],{"class":173}," test\n",[157,780,781,784],{"class":159,"line":180},[157,782,783],{"class":465},"  image",[157,785,504],{"class":469},[157,787,788,791,793],{"class":159,"line":187},[157,789,790],{"class":465},"    name",[157,792,470],{"class":469},[157,794,795],{"class":173}," aquasec\u002Ftrivy:latest\n",[157,797,798,801,803,805,808],{"class":159,"line":193},[157,799,800],{"class":465},"    entrypoint",[157,802,470],{"class":469},[157,804,484],{"class":469},[157,806,807],{"class":469},"\"\"",[157,809,496],{"class":469},[157,811,812,815],{"class":159,"line":209},[157,813,814],{"class":465},"  script",[157,816,504],{"class":469},[157,818,819,822],{"class":159,"line":214},[157,820,821],{"class":533},"    -",[157,823,824],{"class":173}," trivy image --exit-code 1 --severity HIGH,CRITICAL\n",[157,826,827],{"class":159,"line":220},[157,828,829],{"class":173},"      --format json --output gl-container-scanning-report.json\n",[157,831,832],{"class":159,"line":551},[157,833,834],{"class":173},"      $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA\n",[157,836,837,840],{"class":159,"line":564},[157,838,839],{"class":465},"  artifacts",[157,841,504],{"class":469},[157,843,844,847],{"class":159,"line":575},[157,845,846],{"class":465},"    reports",[157,848,504],{"class":469},[157,850,851,854,856],{"class":159,"line":580},[157,852,853],{"class":465},"      container_scanning",[157,855,470],{"class":469},[157,857,858],{"class":173}," gl-container-scanning-report.json\n",[11,860,861,864],{},[22,862,27],{"href":24,"rel":863},[26]," 上で運用されるワークロードでは、レジストリレベルでのスキャンと ci-cd でのスキャンを組み合わせた多層防御が推奨されます。",[30,866,868],{"id":867},"harbor-レジストリとの連携による自動スキャン","Harbor レジストリとの連携による自動スキャン",[11,870,871,876,877,880],{},[22,872,875],{"href":873,"rel":874},"https:\u002F\u002Fgoharbor.io\u002F",[26],"Harbor"," はコンテナレジストリに Trivy を内蔵しており、",[15,878,879],{},"Push 時自動スキャン","を設定できます。これにより、スキャンされていないイメージや脆弱性が検出されたイメージの Pull を防止できます。",[147,882,884],{"className":149,"code":883,"language":151,"meta":152,"style":152},"# Harbor インストール時に Trivy を有効化\n.\u002Finstall.sh --with-trivy\n",[154,885,886,891],{"__ignoreMap":152},[157,887,888],{"class":159,"line":160},[157,889,890],{"class":163},"# Harbor インストール時に Trivy を有効化\n",[157,892,893,896],{"class":159,"line":167},[157,894,895],{"class":170},".\u002Finstall.sh",[157,897,898],{"class":200}," --with-trivy\n",[11,900,901],{},"Harbor のセキュリティ機能:",[903,904,905,912,918,930],"ul",{},[906,907,908,911],"li",{},[15,909,910],{},"自動スキャンポリシー",": イメージ Push 時に自動で脆弱性スキャンを実行",[906,913,914,917],{},[15,915,916],{},"脆弱性ホワイトリスト",": 既知の許容可能な脆弱性をホワイトリスト化",[906,919,920,923,924,929],{},[15,921,922],{},"イメージ署名",": ",[22,925,928],{"href":926,"rel":927},"https:\u002F\u002Fgithub.com\u002Fsigstore\u002Fcosign",[26],"Cosign"," や Notary によるイメージ署名の検証",[906,931,932,935],{},[15,933,934],{},"RBAC",": プロジェクト単位でのアクセス制御により、権限のないユーザーのイメージ操作を防止",[11,937,938,943],{},[22,939,942],{"href":940,"rel":941},"https:\u002F\u002Fwww.cncf.io\u002Fblog\u002F2026\u002F01\u002F05\u002Fdeploying-harbor-on-kubernetes-using-helm\u002F",[26],"CNCF の Harbor デプロイガイド"," では、Kubernetes 上での Harbor 構築と Trivy 連携の手順が詳しく解説されています。",[30,945,947],{"id":946},"dockerfile-セキュリティベストプラクティス","Dockerfile セキュリティベストプラクティス",[11,949,950,951,956],{},"脆弱性スキャンだけでなく、Dockerfile の書き方自体でセキュリティを向上させることが重要です。",[22,952,955],{"href":953,"rel":954},"https:\u002F\u002Fwww.sysdig.com\u002Flearn-cloud-native\u002Fdockerfile-best-practices",[26],"Sysdig のベストプラクティス","をベースに、主要な対策をまとめます。",[135,958,960],{"id":959},"_1-非-root-ユーザーで実行","1. 非 root ユーザーで実行",[147,962,966],{"className":963,"code":964,"language":965,"meta":152,"style":152},"language-dockerfile shiki shiki-themes tokyo-night","RUN addgroup -S appgroup && adduser -S appuser -G appgroup\nUSER appuser\n","dockerfile",[154,967,968,973],{"__ignoreMap":152},[157,969,970],{"class":159,"line":160},[157,971,972],{},"RUN addgroup -S appgroup && adduser -S appuser -G appgroup\n",[157,974,975],{"class":159,"line":167},[157,976,977],{},"USER appuser\n",[11,979,980],{},"UID 10000 以上を使用することが推奨されています。root で実行すると、コンテナエスケープ時にホストの root 権限を取得されるリスクがあります。",[135,982,984],{"id":983},"_2-最小限のベースイメージを使用","2. 最小限のベースイメージを使用",[147,986,988],{"className":963,"code":987,"language":965,"meta":152,"style":152},"# 悪い例: フル Ubuntu イメージ\nFROM ubuntu:24.04\n\n# 良い例: distroless でシェルなし\nFROM gcr.io\u002Fdistroless\u002Fstatic-debian12\n",[154,989,990,995,1000,1004,1009],{"__ignoreMap":152},[157,991,992],{"class":159,"line":160},[157,993,994],{},"# 悪い例: フル Ubuntu イメージ\n",[157,996,997],{"class":159,"line":167},[157,998,999],{},"FROM ubuntu:24.04\n",[157,1001,1002],{"class":159,"line":180},[157,1003,184],{"emptyLinePlaceholder":183},[157,1005,1006],{"class":159,"line":187},[157,1007,1008],{},"# 良い例: distroless でシェルなし\n",[157,1010,1011],{"class":159,"line":193},[157,1012,1013],{},"FROM gcr.io\u002Fdistroless\u002Fstatic-debian12\n",[135,1015,1017],{"id":1016},"_3-シークレットをイメージに含めない","3. シークレットをイメージに含めない",[147,1019,1021],{"className":963,"code":1020,"language":965,"meta":152,"style":152},"# 悪い例: イメージにシークレットが残る\nCOPY .env \u002Fapp\u002F.env\n\n# 良い例: BuildKit シークレットマウントを使用\nRUN --mount=type=secret,id=db_password cat \u002Frun\u002Fsecrets\u002Fdb_password\n",[154,1022,1023,1028,1033,1037,1042],{"__ignoreMap":152},[157,1024,1025],{"class":159,"line":160},[157,1026,1027],{},"# 悪い例: イメージにシークレットが残る\n",[157,1029,1030],{"class":159,"line":167},[157,1031,1032],{},"COPY .env \u002Fapp\u002F.env\n",[157,1034,1035],{"class":159,"line":180},[157,1036,184],{"emptyLinePlaceholder":183},[157,1038,1039],{"class":159,"line":187},[157,1040,1041],{},"# 良い例: BuildKit シークレットマウントを使用\n",[157,1043,1044],{"class":159,"line":193},[157,1045,1046],{},"RUN --mount=type=secret,id=db_password cat \u002Frun\u002Fsecrets\u002Fdb_password\n",[135,1048,1050],{"id":1049},"_4-copy-を-add-より優先する","4. COPY を ADD より優先する",[11,1052,1053,1056,1057,1060],{},[154,1054,1055],{},"ADD"," はリモート URL からのダウンロードや tar の自動展開など予期しない動作を引き起こす可能性があります。ローカルファイルのコピーには常に ",[154,1058,1059],{},"COPY"," を使用しましょう。",[135,1062,1064],{"id":1063},"_5-定期的なイメージ再ビルド","5. 定期的なイメージ再ビルド",[11,1066,1067,1068,1071,1072,1077,1078,1083],{},"本番イメージは",[15,1069,1070],{},"少なくとも月次","で再ビルドし、ベースイメージの最新セキュリティパッチを適用します。",[22,1073,1076],{"href":1074,"rel":1075},"https:\u002F\u002Fgithub.com\u002Fdependabot",[26],"Dependabot"," や ",[22,1079,1082],{"href":1080,"rel":1081},"https:\u002F\u002Fwww.mend.io\u002Frenovate\u002F",[26],"Renovate"," で自動化できます。",[30,1085,1087],{"id":1086},"まとめ-多層防御でコンテナを守る","まとめ: 多層防御でコンテナを守る",[11,1089,1090,1091,1094],{},"コンテナセキュリティは単一のツールや手法で完結するものではなく、開発から運用までの全ライフサイクルを通じた",[15,1092,1093],{},"多層防御","が必要です。",[1096,1097,1098,1104,1110,1116],"ol",{},[906,1099,1100,1103],{},[15,1101,1102],{},"開発段階",": 最小限のベースイメージ選択、非 root 実行、シークレット管理",[906,1105,1106,1109],{},[15,1107,1108],{},"ビルド段階",": ci-cd での自動脆弱性スキャン（Trivy\u002FSnyk）",[906,1111,1112,1115],{},[15,1113,1114],{},"レジストリ段階",": Harbor での Push 時自動スキャンとポリシー適用",[906,1117,1118,1121],{},[15,1119,1120],{},"ランタイム段階",": Falco や Sysdig による継続的な監視",[11,1123,1124,1127,1128,1131],{},[22,1125,27],{"href":24,"rel":1126},[26]," の Kubernetes 基盤と ",[22,1129,128],{"href":126,"rel":1130},[26]," を組み合わせることで、セキュリティスキャンの自動化から脆弱性対応の優先度付けまで、AI 支援型のコンテナセキュリティ運用が実現できます。",[11,1133,1134,1135,1140],{},"コンテナセキュリティの強化について相談したい方は、ぜひ",[22,1136,1139],{"href":1137,"rel":1138},"https:\u002F\u002Fwww.hexabase.com\u002Fcontact-us\u002F",[26],"お問い合わせ","ください。",[1142,1143,1144],"style",{},"html pre.shiki code .sbD-w, html code.shiki .sbD-w{--shiki-default:#51597D;--shiki-default-font-style:italic}html pre.shiki code .sE3pS, html code.shiki .sE3pS{--shiki-default:#C0CAF5}html pre.shiki code .sPY7s, html code.shiki .sPY7s{--shiki-default:#9ECE6A}html pre.shiki code .sT800, html code.shiki .sT800{--shiki-default:#E0AF68}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s0U2E, html code.shiki .s0U2E{--shiki-default:#F7768E}html pre.shiki code .sAklC, html code.shiki .sAklC{--shiki-default:#89DDFF}html pre.shiki code .sOJ5S, html code.shiki .sOJ5S{--shiki-default:#FF9E64}html pre.shiki code .sgJMe, html code.shiki .sgJMe{--shiki-default:#9ABDF5}html pre.shiki code .sGX4V, html code.shiki .sGX4V{--shiki-default:#A9B1D6}",{"title":152,"searchDepth":167,"depth":167,"links":1146},[1147,1148,1153,1157,1158,1165],{"id":32,"depth":167,"text":32},{"id":132,"depth":167,"text":133,"children":1149},[1150,1151,1152],{"id":137,"depth":180,"text":138},{"id":254,"depth":180,"text":255},{"id":314,"depth":180,"text":315},{"id":445,"depth":167,"text":446,"children":1154},[1155,1156],{"id":452,"depth":180,"text":453},{"id":755,"depth":180,"text":756},{"id":867,"depth":167,"text":868},{"id":946,"depth":167,"text":947,"children":1159},[1160,1161,1162,1163,1164],{"id":959,"depth":180,"text":960},{"id":983,"depth":180,"text":984},{"id":1016,"depth":180,"text":1017},{"id":1049,"depth":180,"text":1050},{"id":1063,"depth":180,"text":1064},{"id":1086,"depth":167,"text":1087},"2026-05-27","Docker コンテナの脆弱性スキャンを ci-cd に統合する実践ガイド。Trivy・Snyk・Grype の比較、シフトレフト戦略、Harbor 連携による多層防御を詳しく解説します。","md","ja",{},"\u002Fblog\u002Fja\u002Fdocker-security-scanning-best-practices",{"title":5,"description":1167},"blog\u002Fja\u002Fdocker-security-scanning-best-practices",[1175,1176,1177,138,255,1178,1179],"Docker","セキュリティ","脆弱性スキャン","コンテナセキュリティ","DevSecOps","xfYx6ir4ahQuNJYzHzFrvCg838ZBGhrod2i1fSkLsH0",1779964617053]