DevOps help for Cloud Platform Engineers
  • Welcome!
  • Quick Start Guide
  • About Me
  • CV
  • Contribute
  • 🧠DevOps & SRE Foundations
    • DevOps Overview
      • Engineering Fundamentals
      • Implementing DevOps Strategy
      • DevOps Readiness Assessment
      • Lifecycle Management
      • The 12 Factor App
      • Design for Self Healing
      • Incident Management Best Practices (2025)
    • SRE Fundamentals
      • Toil Reduction
      • System Simplicity
      • Real-world Scenarios
        • AWS VM Log Monitoring API
    • Agile Development
      • Team Agreements
        • Definition of Done
        • Definition of Ready
        • Team Manifesto
        • Working Agreement
    • Industry Scenarios
      • Finance and Banking
      • Public Sector (UK/EU)
      • Energy Sector Edge Computing
  • DevOps Practices
    • Platform Engineering
    • FinOps
    • Observability
      • Modern Practices
  • 🚀Modern DevOps Practices
    • Infrastructure Testing
    • Modern Development
    • Database DevOps
  • 🛠️Infrastructure as Code (IaC)
    • Terraform
      • Cloud Integrations - Provider-specific implementations
        • Azure Scenarios
          • Azure Authetication
            • Service Principal
            • Service Principal in block
            • Service Principal in env
        • AWS Scenarios
          • AWS Authentication
        • GCP Scenarios
          • GCP Authentication
      • Testing and Validation
        • Unit Testing
        • Integration Testing
        • End-to-End Testing
        • Terratest Guide
      • Best Practices
        • State Management
        • Security
        • Code Organization
        • Performance
      • Tools & Utilities - Enhancing the Terraform workflow
        • Terraform Docs
        • TFLint
        • Checkov
        • Terrascan
      • CI/CD Integration - Automating infrastructure deployment
        • GitHub Actions
        • Azure Pipelines
        • GitLab CI
    • Bicep
      • Getting Started - First steps with Bicep [BEGINNER]
      • Template Specs
      • Best Practices - Guidelines for effective Bicep implementations
      • Modules - Building reusable components [INTERMEDIATE]
      • Examples - Sample implementations for common scenarios
      • Advanced Features
      • CI/CD Integration - Automating Bicep deployments
        • GitHub Actions
        • Azure Pipelines
  • 💰Cost Management & FinOps
    • Cloud Cost Optimization
  • 🐳Containers & Orchestration
    • Containerization Overview
      • Docker
        • Dockerfile Best Practices
        • Docker Compose
      • Kubernetes
        • CLI Tools - Essential command-line utilities
          • Kubectl
          • Kubens
          • Kubectx
        • Core Concepts
        • Components
        • Best Practices
          • Pod Security
          • Security Monitoring
          • Resource Limits
        • Advanced Features - Beyond the basics [ADVANCED]
          • Service Mesh
            • Istio
            • Linkerd
          • Ingress Controllers
            • NGINX
            • Traefik
            • Kong
            • Gloo Edge
            • Contour
        • Tips
          • Status in Pods
          • Resource handling
          • Pod Troubleshooting Commands
        • Enterprise Architecture
        • Health Management
        • Security & Compliance
        • Virtual Clusters
      • OpenShift
  • Service Mesh & Networking
    • Service Mesh Implementation
  • Architecture Patterns
    • Data Mesh
    • Multi-Cloud Networking
    • Disaster Recovery
    • Chaos Engineering
  • Edge Computing
    • Implementation Guide
      • Serverless Edge
      • IoT Edge Patterns
      • Real-Time Processing
      • Edge AI/ML
      • Security Hardening
      • Observability Patterns
      • Network Optimization
      • Storage Patterns
  • 🔄CI/CD & GitOps
    • CI/CD Overview
      • Continuous Integration
      • Continuous Delivery
        • Deployment Strategies
        • Secrets Management
        • Blue-Green Deployments
        • Deployment Metrics
        • Progressive Delivery
        • Release Management for DevOps/SRE (2025)
      • CI/CD Platforms - Tool selection and implementation
        • Azure DevOps
          • Pipelines
            • Stages
            • Jobs
            • Steps
            • Templates - Reusable pipeline components
            • Extends
            • Service Connections - External service authentication
            • Best Practices for 2025
            • Agents and Runners
            • Third-Party Integrations
            • Azure DevOps CLI
          • Boards & Work Items
        • GitHub Actions
        • GitLab
          • GitLab Runner
          • Real-life scenarios
          • Installation guides
          • Pros and Cons
          • Comparison with alternatives
      • GitOps
        • Modern GitOps Practices
        • GitOps Patterns for Multi-Cloud (2025)
        • Flux
          • Overview
          • Progressive Delivery
          • Use GitOps with Flux, GitHub and AKS
  • Source Control
    • Source Control Overview
      • Git Branching Strategies
      • Component Versioning
      • Kubernetes Manifest Versioning
      • GitLab
      • Creating a Fork
      • Naming Branches
      • Pull Requests
      • Integrating LLMs into Source Control Workflows
  • ☁️Cloud Platforms
    • Cloud Strategy
      • AWS to Azure
      • Azure to AWS
      • GCP to Azure
      • AWS to GCP
      • GCP to AWS
    • Azure
      • Best Practices
        • Azure Best Practices Overview
        • Azure Architecture Best Practices
        • Azure Naming Standards
        • Azure Tags
        • Azure Security Best Practices
      • Landing Zones
      • Services
        • Azure Active Directory (AAD)
        • Azure Monitor
        • Azure Key Vault
        • Azure Service Bus
        • Azure DNS
        • Azure App Service
        • Azure Batch
        • Azure Machine Learning
        • Azure OpenAI Service
        • Azure Cognitive Services
        • Azure Kubernetes Service (AKS)
        • Azure Databricks
        • Azure SQL Database
      • Monitoring
      • Administration Tools - Platform management interfaces
        • Azure PowerShell
        • Azure CLI
      • Tips & Tricks
    • AWS
      • Authentication
      • Best Practices
      • Tips & Tricks
      • Services
        • AWS IAM (Identity and Access Management)
        • Amazon CloudWatch
        • Amazon SNS (Simple Notification Service)
        • Amazon SQS (Simple Queue Service)
        • Amazon Route 53
        • AWS Elastic Beanstalk
        • AWS Batch
        • Amazon SageMaker
        • Amazon Bedrock
        • Amazon Comprehend
    • Google Cloud
      • Services
        • Cloud CDN
        • Cloud DNS
        • Cloud Load Balancing
        • Google Kubernetes Engine (GKE)
        • Cloud Run
        • Artifact Registry
        • Compute Engine
        • Cloud Functions
        • App Engine
        • Cloud Storage
        • Persistent Disk
        • Filestore
        • Cloud SQL
        • Cloud Spanner
        • Firestore
        • Bigtable
        • BigQuery
        • VPC (Virtual Private Cloud)
  • 🔐Security & Compliance
    • DevSecOps Overview
      • DevSecOps Pipeline Security
      • DevSecOps
        • Real-life Examples
        • Scanning & Protection - Automated security tooling
          • Dependency Scanning
          • Credential Scanning
          • Container Security Scanning
          • Static Code Analysis
            • Best Practices
            • Tool Integration Guide
            • Pipeline Configuration
        • CI/CD Security
        • Secrets Rotation
      • Supply Chain Security
        • SLSA Framework
        • Binary Authorization
        • Artifact Signing
      • Security Best Practices
        • Threat Modeling
        • Kubernetes Security
      • SecOps
      • Zero Trust Model
      • Cloud Compliance
        • ISO/IEC 27001:2022
        • ISO 22301:2019
        • PCI DSS
        • CSA STAR
      • Security Frameworks
      • SIEM and SOAR
  • Security Architecture
    • Zero Trust Implementation
      • Identity Management
      • Network Security
      • Access Control
  • 🔍Observability & Monitoring
    • Observability Fundamentals
      • Logging
      • Metrics
      • Tracing
      • Dashboards
      • SLOs and SLAs
      • Observability as Code
      • Pipeline Observability
  • 🧪Testing Strategies
    • Testing Overview
      • Modern Testing Approaches
      • End-to-End Testing
      • Unit Testing
      • Performance Testing
        • Load Testing
      • Fault Injection Testing
      • Integration Testing
      • Smoke Testing
  • 🤖AI Integration
    • AIops Overview
      • Workflow Automation
      • Predictive Analytics
      • Code Quality
  • 🧠AI & LLM Integration
    • Overview
      • Claude
        • Installation Guide
        • Project Guides
        • MCP Server Setup
        • LLM Comparison
      • Ollama
        • Installation Guide
        • Configuration
        • Models and Fine-tuning
        • DevOps Usage
        • Docker Setup
        • GPU Setup
        • Open WebUI
      • Copilot
        • Installation Guide
        • VS Code Integration
        • CLI Usage
      • Gemini
        • Installation Guides - Platform-specific setup
          • Linux Installation
          • WSL Installation
          • NixOS Installation
        • Gemini 2.5 Features
        • Roles and Agents
        • NotebookML Guide
        • Cloud Infrastructure Deployment
        • Summary
  • 💻Development Environment
    • DevOps Tools
      • Operating Systems - Development platforms
        • NixOS
          • Install NixOS: PC, Mac, WSL
          • Nix Language Deep Dive
          • Nix Language Fundamentals
            • Nix Functions and Techniques
            • Building Packages with Nix
            • NixOS Configuration Patterns
            • Flakes: The Future of Nix
          • NixOS Generators: Azure & QEMU
        • WSL2
          • Distributions
          • Terminal Setup
      • Editor Environments
      • CLI Tools
        • Azure CLI
        • PowerShell
        • Linux Commands
          • SSH - Secure Shell)
            • SSH Config
            • SSH Port Forwarding
        • Linux Fundametals
        • Cloud init
          • Cloud init examples
        • YAML Tools
          • How to create a k8s yaml file - How to create YAML config
          • YQ the tool
  • 📚Programming Languages
    • Python
    • Go
    • JavaScript/TypeScript
    • Java
    • Rust
  • Platform Engineering
    • Implementation Guide
  • FinOps
    • Implementation Guide
  • AIOps
    • LLMOps Guide
  • Should Learn
    • Should Learn
    • Linux
      • Commands
      • OS
      • Services
    • Terraform
    • Getting Started - Installation and initial setup [BEGINNER]
    • Cloud Integrations
    • Testing and Validation - Ensuring infrastructure quality
      • Unit Testing
      • Integration Testing
      • End-to-End Testing
      • Terratest Guide
    • Best Practices - Production-ready implementation strategies
      • State Management
      • Security
      • Code Organization
      • Performance
    • Tools & Utilities
    • CI/CD Integration
    • Bicep
    • Kubernetes
      • kubectl
    • Ansible
    • Puppet
    • Java
    • Rust
    • Azure CLI
  • 📖Documentation Best Practices
    • Documentation Strategy
      • Project Documentation
      • Release Notes
      • Static Sites
      • Documentation Templates
      • Real-World Examples
  • 📋Reference Materials
    • Glossary
    • Tool Comparison
    • Tool Decision Guides
    • Recommended Reading
    • Troubleshooting Guide
    • Development Setup
Powered by GitBook
On this page
  • Multi-Layer Container Security
  • 1. Base Image Scanning
  • 2. Build-Time Security
  • Advanced Scanning Features
  • 1. SBOM Generation
  • 2. Runtime Security Policies
  • Automated Security Gates
  • 1. Quality Gates Configuration
  • 2. Policy Enforcement
  • Continuous Monitoring
  • 1. Runtime Threat Detection
  • 2. Security Metrics
  • Integration with DevSecOps Tools
  • 1. Vulnerability Management
  • 2. Security Notifications
  • Best Practices
  • 1. Container Build Security
  • 2. Runtime Security
  • 3. Supply Chain Security
  • Compliance Requirements
  • 1. Container Compliance Standards
  • 2. Audit Requirements
  • Conclusion
Edit on GitHub
  1. Security & Compliance
  2. DevSecOps Overview
  3. DevSecOps
  4. Scanning & Protection - Automated security tooling

Container Security Scanning

Modern container security requires a comprehensive approach that integrates security scanning throughout the container lifecycle, from development to runtime.

Multi-Layer Container Security

1. Base Image Scanning

# GitHub Actions Example
name: Base Image Scan
on:
  schedule:
    - cron: '0 0 * * *'  # Daily scan
  workflow_dispatch:

jobs:
  scan-base-images:
    runs-on: ubuntu-latest
    steps:
      - name: Scan Ubuntu base image
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'ubuntu:22.04'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

2. Build-Time Security

Azure DevOps Pipeline

trigger:
  - main

variables:
  containerRegistry: 'production.azurecr.io'
  imageRepository: 'myapp'
  tag: '$(Build.BuildNumber)'

stages:
- stage: SecurityScan
  jobs:
  - job: ContainerScan
    steps:
    - task: Docker@2
      inputs:
        command: build
        dockerfile: '**/Dockerfile'
        tags: |
          $(tag)
          latest
    
    - task: ContainerScan@0
      inputs:
        imageName: '$(containerRegistry)/$(imageRepository):$(tag)'
        scanType: 'vulnerability'
        severityThreshold: 'CRITICAL'
        
    - task: Snyk@1
      inputs:
        command: container test
        dockerImageName: '$(containerRegistry)/$(imageRepository):$(tag)'
        monitorWhen: always
        failOnIssues: true

Advanced Scanning Features

1. SBOM Generation

# Syft SBOM Generation
steps:
- task: Bash@3
  inputs:
    script: |
      syft $(containerRegistry)/$(imageRepository):$(tag) \
        -o spdx-json \
        --file sbom.json
      
      # Validate SBOM
      grype sbom:./sbom.json \
        --fail-on high \
        --config grype.yaml

2. Runtime Security Policies

# Kubernetes Security Policies
apiVersion: security.kubernetes.io/v1beta1
kind: SecurityProfile
metadata:
  name: restricted-containers
spec:
  restrictedCapabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

Automated Security Gates

1. Quality Gates Configuration

security_gates:
  container_scan:
    critical_vulnerabilities: 0
    high_vulnerabilities: 3
    medium_vulnerabilities: 10
    compliance:
      - cis_benchmark
      - pci_dss
    sbom_validation: required
    signing_required: true

2. Policy Enforcement

# OPA/Conftest Policy
package container

deny[msg] {
    input.type == "Container"
    not input.spec.securityContext.runAsNonRoot
    msg = "Containers must not run as root"
}

deny[msg] {
    input.type == "Container"
    not input.spec.securityContext.readOnlyRootFilesystem
    msg = "Root filesystem must be read-only"
}

Continuous Monitoring

1. Runtime Threat Detection

# Falco Rules Configuration
- rule: Unauthorized Container Image
  desc: Detect containers not from approved registry
  condition: >
    container.image.repository != "production.azurecr.io/*"
  output: Unauthorized container image (user=%user.name %container.image)
  priority: CRITICAL
  tags: [runtime, container]

2. Security Metrics

# Prometheus Metrics
- name: container_vulnerabilities_total
  help: Total number of container vulnerabilities by severity
  type: gauge
  labels:
    - severity
    - image
    - registry

- name: container_compliance_score
  help: Container security compliance score
  type: gauge
  labels:
    - image
    - benchmark

Integration with DevSecOps Tools

1. Vulnerability Management

# Vulnerability Management Integration
vulnerability_tracking:
  providers:
    - name: defectdojo
      api_url: https://defectdojo.internal
      product_name: container-security
      
    - name: security_hub
      region: us-west-2
      findings_filter:
        ProductName: container-scanning
        SeverityLabel: CRITICAL

2. Security Notifications

# Security Alert Configuration
notifications:
  channels:
    slack:
      channel: security-alerts
      triggers:
        - new_critical_vulnerability
        - compliance_violation
    
    email:
      recipients: [security-team@company.com]
      triggers:
        - weekly_security_report
        - critical_security_event

Best Practices

1. Container Build Security

  • Use minimal base images

  • Multi-stage builds

  • No secrets in images

  • Pin dependency versions

  • Regularly update base images

2. Runtime Security

  • Implement pod security standards

  • Use network policies

  • Enable audit logging

  • Implement admission controllers

  • Regular security assessments

3. Supply Chain Security

  • Sign container images

  • Verify image signatures

  • Generate and verify SBOMs

  • Use trusted registries

  • Implement image promotion policies

Compliance Requirements

1. Container Compliance Standards

compliance_requirements:
  - standard: CIS_DOCKER_BENCHMARK
    version: "1.3.1"
    controls:
      - "4.1"  # Image Build
      - "4.2"  # Runtime
      - "4.3"  # Network
      - "4.4"  # Storage
      
  - standard: PCI_DSS
    version: "4.0"
    controls:
      - "6.2"  # Security Patches
      - "6.4"  # Change Control
      - "10.2" # Audit Logging

2. Audit Requirements

audit_configuration:
  retention_period: 365d
  audit_events:
    - container_launch
    - image_pull
    - security_violation
  audit_trail:
    - timestamp
    - user
    - action
    - resource
    - result

Conclusion

Container security scanning in CI/CD pipelines requires:

  1. Comprehensive Coverage

    • Base image scanning

    • Build-time security

    • Runtime protection

    • Supply chain security

  2. Automation

    • Automated scanning

    • Policy enforcement

    • Continuous monitoring

    • Automated remediation

  3. Integration

    • DevSecOps tools

    • Compliance frameworks

    • Security monitoring

    • Incident response

  4. Documentation

    • Security policies

    • Compliance requirements

    • Incident procedures

    • Best practices

Remember to regularly update security tools and policies to address new container security threats and vulnerabilities.

PreviousCredential ScanningNextStatic Code Analysis

Last updated 9 days ago

🔐