Container Image Scanning Workflows
Integrating Trivy, Grype, or cloud-native scanners into build and admission control for Kubernetes deployments.
Container Image Scanning Workflows
Scan points
- CI build Fail on critical OS/package CVEs before push to registry
- Registry Rescan on schedule (new CVE disclosures)
- Admission Block deploy if image digest not in allow-list or policy violated
Example: Trivy in CI
trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:${GIT_SHA}Policy tiers
| Severity | CI | Production deploy |
|---|---|---|
| Critical | Block | Block |
| High | Block (or 7-day waiver) | Block |
| Medium | Warn | Track |
| Low | Info | Info |
Base image strategy
- Use minimal distroless or slim bases
- Rebuild weekly even without app changes (patch drift)
- Pin digests in manifests, not floating tags
Kubernetes admission
Use OPA Gatekeeper or Kyverno to require:
image: repo@sha256:...- Label
scanned=truewith scan timestamp annotation - No
latesttag in production namespaces