Container images are the foundation of your Kubernetes workloads. A vulnerable base image or dependency can compromise your entire cluster.
Image Scanning Tools
Trivy
Open-source scanner that’s fast and comprehensive:
BASH
trivy image nginx:latestGrype
Another excellent open-source option:
BASH
grype nginx:latestCommercial Options
- Snyk Container
- Aqua Security
- Prisma Cloud
Integrating Scanning into CI/CD
YAML
# GitHub Actions example
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:${{ github.sha }}'
exit-code: '1'
severity: 'CRITICAL,HIGH'Best Practices for Secure Images
1. Use Minimal Base Images
DOCKERFILE
# Instead of
FROM ubuntu:latest
# Use
FROM gcr.io/distroless/static-debian112. Don’t Run as Root
DOCKERFILE
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser3. Pin Versions
DOCKERFILE
# Bad
FROM node:latest
# Good
FROM node:18.19.0-alpine3.19@sha256:abc123...4. Multi-Stage Builds
DOCKERFILE
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o myapp
FROM scratch
COPY --from=builder /app/myapp /myapp
ENTRYPOINT ["/myapp"]Admission Controllers
Use admission controllers to enforce image policies:
- ImagePolicyWebhook: Custom validation
- Kyverno: Policy-based image verification
- OPA Gatekeeper: General policy enforcement
Image Signing
Sign images with Cosign and verify signatures before deployment:
BASH
cosign sign --key cosign.key myregistry/myapp:v1.0
cosign verify --key cosign.pub myregistry/myapp:v1.0Secure images are the foundation of a secure cluster.