Skip to main content

Container Image Scanning Workflows

Integrating Trivy, Grype, or cloud-native scanners into build and admission control for Kubernetes deployments.


Container Image Scanning Workflows

Scan points

  1. CI build Fail on critical OS/package CVEs before push to registry
  2. Registry Rescan on schedule (new CVE disclosures)
  3. Admission Block deploy if image digest not in allow-list or policy violated

Example: Trivy in CI

trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:${GIT_SHA}

Policy tiers

SeverityCIProduction deploy
CriticalBlockBlock
HighBlock (or 7-day waiver)Block
MediumWarnTrack
LowInfoInfo

Base image strategy

  • Use minimal distroless or slim bases
  • Rebuild weekly even without app changes (patch drift)
  • Pin digests in manifests, not floating tags

Kubernetes admission

Use OPA Gatekeeper or Kyverno to require:

  • image: repo@sha256:...
  • Label scanned=true with scan timestamp annotation
  • No latest tag in production namespaces