Container Security Scanning: How It Works and Which Tools to Use
Written by the Rafter Team
Container security scanning is the automated process of inspecting container images for known vulnerabilities, misconfigurations, and insecure defaults before they reach production. Every container image layers an OS distribution, system packages, application dependencies, and your code into a single deployable artifact — and each layer can introduce exploitable flaws. Scanning catches them at build time, when fixes are cheap.
Over 60% of container images in public registries contain at least one known high or critical CVE. If you are pulling base images without scanning, you are deploying vulnerabilities by default.
Scan your repositories with Rafter — catch vulnerabilities in code and dependencies before they ship.
What Container Scanners Detect
Container security scanners inspect three distinct layers of a container image.
OS package vulnerabilities — the scanner unpacks the image filesystem, identifies the base distribution (Alpine, Debian, Ubuntu), and cross-references installed packages against CVE databases. A vulnerable version of libcurl or openssl in your base image gets flagged even if your application never calls it directly.
Application dependency vulnerabilities — scanners parse lock files and manifests (package-lock.json, requirements.txt, go.sum, Gemfile.lock) inside the image. This is SCA scanning applied to the built artifact rather than just source code.
Dockerfile misconfigurations — running as root, exposing unnecessary ports, using latest tags instead of pinned digests, storing secrets in environment variables. These are not CVEs but they expand your attack surface.
Comparing Container Scanning Tools
| Feature | Trivy | Grype | Snyk Container | Docker Scout |
|---|---|---|---|---|
| License | Open source | Open source | Commercial (free tier) | Commercial (free tier) |
| OS package scanning | Yes | Yes | Yes | Yes |
| App dependency scanning | Yes | Yes | Yes | Yes |
| Dockerfile linting | Yes (via misconfig) | No | Yes | Limited |
| SBOM generation | Yes | Yes (via Syft) | Yes | Yes |
| CI/CD integration | Native | Native | Native | Docker Desktop |
| Speed | Fast | Fast | Moderate | Moderate |
Trivy is the most popular open-source option. It covers OS packages, app dependencies, IaC misconfigurations, and secrets in a single binary with zero configuration.
Grype pairs with Syft for SBOM generation and focuses specifically on vulnerability matching. It is fast and integrates cleanly into pipelines that already use the Anchore ecosystem.
Snyk Container adds fix recommendations and base image upgrade suggestions. Its commercial tier connects container findings to your source code for faster remediation.
Docker Scout is built into Docker Desktop and Hub. It provides image analysis with policy-based evaluation but is most useful for teams already deep in the Docker ecosystem.
CI/CD Integration
The highest-value placement for container scanning is directly in your build pipeline — after the image builds but before it pushes to a registry.
# GitHub Actions example with Trivy
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
severity: CRITICAL,HIGH
exit-code: 1
Gate registry pushes on critical and high findings. This ensures no image with known severe vulnerabilities reaches your deployment environment. Combine container scanning with source-level SAST for defense in depth — catch code flaws before they are baked into an image.
Where Rafter Fits
Container scanners find vulnerabilities in the built artifact. Rafter catches them earlier — at the pull request level — by scanning your source code, dependencies, and infrastructure as code before the image is ever built. Fewer vulnerabilities in your code means cleaner container images downstream.
Add Rafter to your pipeline — shift security left and reduce the vulnerabilities your container scanner has to catch.