Vulnerability Scanning — Containers #

Control ID: SDLC-CTRL-0022 | Type: Preventive

Summary #

Container images are scanned for operating system and application-level vulnerabilities as part of the build and deployment process.

Mitigates Risk

Description #

Container images package both application code and its operating system dependencies into a single deployable unit. Vulnerabilities can exist at any layer — from the base OS image through to application-level packages. Container scanning analyses all layers of an image to detect known vulnerabilities before the image is deployed to production.

Because new vulnerabilities are disclosed daily, container scanning must be performed both at build time and on running images in production to detect newly published CVEs against existing deployments.

Requirements #

• Container images MUST be scanned for vulnerabilities before deployment to production
• Scanning MUST cover both operating system packages and application-level dependencies within the image
• Container scanning MUST be automated as part of the CI/CD pipeline
• Vulnerability findings MUST be classified by severity and tracked to resolution
• Container scan results MUST be recorded as attestations linked to the artefact
• Running container images in production SHOULD be scanned periodically for newly disclosed vulnerabilities

How we implement this control #

• We use Snyk Container to scan container images in our CI/CD pipelines
• Container scan results are recorded as attestations in our Kosli Flows
• We control that no artefact with missing or failed container scans runs in production
• We run continuous nightly Snyk scans on containers in production in case new vulnerabilities are found in running assets

Compliance Frameworks #

Links #

• Snyk Container
• Docker — Security Best Practices
• CIS Docker Benchmark