Container Security — Docker Image Scanning & Runtime Protection Guide
In this tutorial, you'll learn about Container Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Container security protects containerized applications from vulnerabilities in base images, supply chain attacks, and runtime threats using image scanning, admission control, and behavioral monitoring tools.
What You Will Learn
How to scan Docker images for vulnerabilities, enforce image signing, secure the container runtime, and integrate security into your CI/CD pipeline.
Why It Matters
Containers package the application and its dependencies together. A single vulnerable library in a base image propagates to every container built from it. Attackers actively scan registries for known CVEs.
Real-World Use
DodaTech's CI pipeline scans every Docker image with AWS ECR scanning before deployment. If a CRITICAL vulnerability is found, the pipeline blocks the image and alerts the security team through Security Hub.
Container Security Layers
flowchart TD
subgraph Build Phase
Code[Source Code] --> Dockerfile[Dockerfile]
Dockerfile --> Image[Docker Image]
Image --> Scan[Vulnerability Scan]
Scan --> |Pass| Sign[Image Signing]
Scan --> |Fail| Rebuild[Rebuild & Patch]
end
subgraph Deploy Phase
Sign --> Registry[Container Registry]
Registry --> Admission[Admission Control]
Admission --> Runtime[Kubernetes Runtime]
end
subgraph Runtime Phase
Runtime --> Monitor["Runtime Monitoring\nFalco / Aqua"]
Monitor --> Alert[Security Alerts]
end
style Scan fill:#f90,color:#fff
style Admission fill:#390,color:#fff
Image Vulnerability Scanning
Every major cloud provider offers container image scanning. Scan early in the pipeline to catch issues before images reach production.
# AWS ECR: Enable scan on push
aws ecr put-repository-image-scanning-configuration \
--repository-name my-app \
--image-scanning-configuration scanOnPush=true
# Manually scan an existing image
aws ecr start-image-scan \
--repository-name my-app \
--image-id imageTag=latest
# Check scan results
aws ecr describe-image-scan-findings \
--repository-name my-app \
--image-id imageTag=latest \
--query 'imageScanFindings.findings[?severity==`CRITICAL`].[name,uri,severity]' \
--output table
# Output:
# ------------------------------------------------
# | CVE-2026-5678 | pkg:deb/openssl@1.1.1 | CRITICAL
# | CVE-2026-9012 | pkg:deb/curl@7.79 | CRITICAL
# ------------------------------------------------
Azure Defender for Containers
Azure Defender scans images in ACR and provides runtime protection for AKS clusters.
# Enable Defender for Containers on a subscription
az security pricing create \
--name Containers \
--pricing-tier Standard
# Scan an image in ACR
az acr scan run \
--registry myregistry \
--image my-app:latest
# View scan results
az acr scan list \
--registry myregistry \
--image my-app:latest \
--query "[?severity=='Critical'].[cveId, packageName, severity]" \
--output table
# Output:
# CVE-2026-5678 openssl Critical
# CVE-2026-9012 curl Critical
GCP Artifact Analysis
GCP's Artifact Analysis integrates with Container Registry and Artifact Registry for vulnerability scanning. It uses the same vulnerability database as Google's internal systems.
# Enable vulnerability scanning for Artifact Registry
gcloud artifacts repositories update my-repo \
--location us-central1 \
--vulnerability-scanning-enabled
# List vulnerabilities for an image
gcloud artifacts docker images list-vulnerabilities \
us-central1-docker.pkg.dev/my-project/my-repo/my-app@sha256:abc123
# Output:
# Occurrence ID: abcdef-1234
# Note Name: CVE-2026-5678
# Severity: CRITICAL
# Package: openssl@1.1.1
Runtime Protection with Falco
Falco is the open-source runtime security tool for containers. It detects anomalous behavior using system calls.
# Install Falco on a Kubernetes cluster
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set falco.driver.kind=modern_ebpf
# Falco alerts on shell in a container
# Example alert output:
# 2026-06-24T10:00:00Z: Warning A shell was spawned in a container
# with an attached terminal (user=root, container=nginx-pod)
Common Mistakes
- Using latest tag in production:
latestmakes it impossible to track which version is deployed and what vulnerabilities it contains. Use immutable tags matching the Git commit SHA. - Not scanning base images: Base images from Docker Hub often contain unpatched CVEs. Scan every layer, including the base image.
- Running containers as root: Containers running as root have unnecessary privileges. Use the USER directive in Dockerfiles and enforce read-only root filesystems.
- Ignoring software bill of materials: An SBOM lists every dependency in the image. Generate an SBOM for every build to enable rapid CVE response.
- No admission control: Admission controllers like OPA Gatekeeper block vulnerable or unsigned images before they reach Kubernetes.
Practice Questions
- What is the difference between image scanning and runtime protection?
- How does AWS ECR scanning detect vulnerabilities in Docker images?
- Why should containers never run as root?
- What is an SBOM and why is it important for container security?
- How does Falco detect anomalous behavior in containers?
Challenge
Set up a secure container pipeline. Write a Dockerfile for a Node.js application. Configure AWS ECR with scan-on-push. Push the image and review the scan findings. Fix all CRITICAL vulnerabilities by updating base image versions. Re-scan and confirm zero critical findings. Add Falco for runtime monitoring.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro