Container Security Cheat Sheet

Updated 2026-04-29

Next Topic: Cryptography and Encryption Cheat Sheet

Container security spans the full lifecycle of containerized workloads — from building images and managing secrets to runtime enforcement and supply chain integrity. Containers share the host kernel, so a misconfigured or compromised container can threaten the entire host; defense-in-depth across every layer is essential. Shift-left practices (scanning images at build time, enforcing policies in CI/CD) reduce risk dramatically before code ever reaches production. The landscape has matured significantly in 2025–2026: Kubernetes Pod Security Admission is now the standard gatekeeper, eBPF-based runtime enforcement has gone mainstream, supply chain attestations (SLSA, VEX) are table-stakes for production images, and AI/LLM workloads introduce an entirely new threat surface.

What This Cheat Sheet Covers

This topic spans 21 focused tables and 155 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Image Vulnerability ScanningTable 2: Image Signing and VerificationTable 3: Base Image Selection and HardeningTable 4: Runtime Security Policies (Kubernetes)Table 5: Policy Engines and Admission ControllersTable 6: Secrets ManagementTable 7: Container Network SecurityTable 8: Runtime Threat DetectionTable 9: Kubernetes RBAC and Least PrivilegeTable 10: Container Isolation TechniquesTable 11: Container Registry SecurityTable 12: Supply Chain SecurityTable 13: Compliance and BenchmarkingTable 14: Multi-Stage Build SecurityTable 15: Container Escape PreventionTable 16: Resource Limits and Denial of Service PreventionTable 17: Audit Logging and ObservabilityTable 18: CI/CD Pipeline SecurityTable 19: Data Encryption in ContainersTable 20: Advanced Container Threats and MitigationsTable 21: AI and LLM Workload Security

Table 1: Image Vulnerability Scanning

Tool	Example	Description
Trivy	`trivy image nginx:latest`	• Comprehensive scanner covering OS packages, language libraries, IaC, secrets, SBOMs, and VEX filtering • fastest scanner for CI/CD pipelines.
Grype	`grype nginx:latest`	• Anchore's vulnerability scanner • pairs with Syft for SBOM-driven scanning • supports VEX suppression via `--vex` flag.
Docker Scout	`docker scout cves nginx:latest`	• Built into Docker Desktop and CLI • shows fix recommendations and policy compliance • integrates with Docker Hub.
Snyk Container	`snyk container test nginx:latest`	• Developer-friendly scanner with IDE and CI plugins • surfaces base-image upgrade suggestions to reduce CVE counts.

Table 1: Image Vulnerability Scanning

Tool	Example	Description
Trivy	`trivy image nginx:latest`	• Comprehensive scanner covering OS packages, language libraries, IaC, secrets, SBOMs, and VEX filtering • fastest scanner for CI/CD pipelines.
Grype	`grype nginx:latest`	• Anchore's vulnerability scanner • pairs with Syft for SBOM-driven scanning • supports VEX suppression via `--vex` flag.
Docker Scout	`docker scout cves nginx:latest`	• Built into Docker Desktop and CLI • shows fix recommendations and policy compliance • integrates with Docker Hub.
Snyk Container	`snyk container test nginx:latest`	• Developer-friendly scanner with IDE and CI plugins • surfaces base-image upgrade suggestions to reduce CVE counts.