Skip to content

Container Security — Docker Image Scanning & Runtime Protection Guide

DodaTech Updated 2026-06-24 4 min read

In this tutorial, you'll learn about Container Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Container security protects containerized applications from vulnerabilities in base images, supply chain attacks, and runtime threats using image scanning, admission control, and behavioral monitoring tools.

What You Will Learn

How to scan Docker images for vulnerabilities, enforce image signing, secure the container runtime, and integrate security into your CI/CD pipeline.

Why It Matters

Containers package the application and its dependencies together. A single vulnerable library in a base image propagates to every container built from it. Attackers actively scan registries for known CVEs.

Real-World Use

DodaTech's CI pipeline scans every Docker image with AWS ECR scanning before deployment. If a CRITICAL vulnerability is found, the pipeline blocks the image and alerts the security team through Security Hub.

Container Security Layers

flowchart TD
  subgraph Build Phase
    Code[Source Code] --> Dockerfile[Dockerfile]
    Dockerfile --> Image[Docker Image]
    Image --> Scan[Vulnerability Scan]
    Scan --> |Pass| Sign[Image Signing]
    Scan --> |Fail| Rebuild[Rebuild & Patch]
  end
  subgraph Deploy Phase
    Sign --> Registry[Container Registry]
    Registry --> Admission[Admission Control]
    Admission --> Runtime[Kubernetes Runtime]
  end
  subgraph Runtime Phase
    Runtime --> Monitor["Runtime Monitoring\nFalco / Aqua"]
    Monitor --> Alert[Security Alerts]
  end
  
  style Scan fill:#f90,color:#fff
  style Admission fill:#390,color:#fff

Image Vulnerability Scanning

Every major cloud provider offers container image scanning. Scan early in the pipeline to catch issues before images reach production.

# AWS ECR: Enable scan on push
aws ecr put-repository-image-scanning-configuration \
  --repository-name my-app \
  --image-scanning-configuration scanOnPush=true

# Manually scan an existing image
aws ecr start-image-scan \
  --repository-name my-app \
  --image-id imageTag=latest

# Check scan results
aws ecr describe-image-scan-findings \
  --repository-name my-app \
  --image-id imageTag=latest \
  --query 'imageScanFindings.findings[?severity==`CRITICAL`].[name,uri,severity]' \
  --output table
# Output:
# ------------------------------------------------
# | CVE-2026-5678 | pkg:deb/openssl@1.1.1 | CRITICAL
# | CVE-2026-9012 | pkg:deb/curl@7.79     | CRITICAL
# ------------------------------------------------

Azure Defender for Containers

Azure Defender scans images in ACR and provides runtime protection for AKS clusters.

# Enable Defender for Containers on a subscription
az security pricing create \
  --name Containers \
  --pricing-tier Standard

# Scan an image in ACR
az acr scan run \
  --registry myregistry \
  --image my-app:latest

# View scan results
az acr scan list \
  --registry myregistry \
  --image my-app:latest \
  --query "[?severity=='Critical'].[cveId, packageName, severity]" \
  --output table
# Output:
# CVE-2026-5678  openssl  Critical
# CVE-2026-9012  curl     Critical

GCP Artifact Analysis

GCP's Artifact Analysis integrates with Container Registry and Artifact Registry for vulnerability scanning. It uses the same vulnerability database as Google's internal systems.

# Enable vulnerability scanning for Artifact Registry
gcloud artifacts repositories update my-repo \
  --location us-central1 \
  --vulnerability-scanning-enabled

# List vulnerabilities for an image
gcloud artifacts docker images list-vulnerabilities \
  us-central1-docker.pkg.dev/my-project/my-repo/my-app@sha256:abc123
# Output:
# Occurrence ID: abcdef-1234
# Note Name: CVE-2026-5678
# Severity: CRITICAL
# Package: openssl@1.1.1

Runtime Protection with Falco

Falco is the open-source runtime security tool for containers. It detects anomalous behavior using system calls.

# Install Falco on a Kubernetes cluster
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco \
  --create-namespace \
  --set falco.driver.kind=modern_ebpf

# Falco alerts on shell in a container
# Example alert output:
# 2026-06-24T10:00:00Z: Warning A shell was spawned in a container
# with an attached terminal (user=root, container=nginx-pod)

Common Mistakes

  1. Using latest tag in production: latest makes it impossible to track which version is deployed and what vulnerabilities it contains. Use immutable tags matching the Git commit SHA.
  2. Not scanning base images: Base images from Docker Hub often contain unpatched CVEs. Scan every layer, including the base image.
  3. Running containers as root: Containers running as root have unnecessary privileges. Use the USER directive in Dockerfiles and enforce read-only root filesystems.
  4. Ignoring software bill of materials: An SBOM lists every dependency in the image. Generate an SBOM for every build to enable rapid CVE response.
  5. No admission control: Admission controllers like OPA Gatekeeper block vulnerable or unsigned images before they reach Kubernetes.

Practice Questions

  1. What is the difference between image scanning and runtime protection?
  2. How does AWS ECR scanning detect vulnerabilities in Docker images?
  3. Why should containers never run as root?
  4. What is an SBOM and why is it important for container security?
  5. How does Falco detect anomalous behavior in containers?

Challenge

Set up a secure container pipeline. Write a Dockerfile for a Node.js application. Configure AWS ECR with scan-on-push. Push the image and review the scan findings. Fix all CRITICAL vulnerabilities by updating base image versions. Re-scan and confirm zero critical findings. Add Falco for runtime monitoring.

FAQ

What is container image scanning?

The Process of analyzing Docker images against known vulnerability databases to identify packages with CVEs.

Does AWS ECR scan images automatically?

Yes. You can enable scan-on-push, and ECR scans each image when it is pushed to the Repository.

What runtime protection does Azure Defender offer for containers?

Azure Defender monitors AKS clusters for suspicious activities including privilege escalation, lateral movement, and crypto mining.

What is Falco?

Falco is an open-source runtime security tool that uses eBPF to monitor container system calls and detect anomalous behavior.

How do admission controllers improve container security?

They enforce policies at deploy time, blocking images that fail vulnerability thresholds or are not signed by trusted authorities.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro