loading
Loading content
loading
Also known as image scanning
Container image scanning examines a built image before it ships, breaking it into layers and reading the software inside. The scanner inventories operating system packages and language dependencies, then matches them against vulnerability databases to report which components carry known flaws. Good scanners also flag hardcoded secrets, world-readable credentials, and misconfigured defaults baked into the image.
This matters because a container inherits every weakness present at build time. A base image pinned to an old release can carry a critical CVE into every workload derived from it, and that single bad layer propagates across dozens of services. Catching it in the registry, before deployment, is far cheaper than patching live pods. Scanning also surfaces secrets scanning hits, where an API key or private key was copied in during a hurried build.
Image scanning covers the artifact, while Kubernetes security and broader container security cover how that artifact runs, so the two complement rather than replace each other.
In a Trickest workflow, you wire scanning into the pipeline so that every pushed image triggers a scan, results join your central vulnerability scanning findings, and an image over a severity threshold blocks promotion or raises a ticket automatically.
Related terms