Container security spans the full lifecycle of containerized workloads — from building images and managing secrets to runtime enforcement and supply chain integrity. Containers share the host kernel, so a misconfigured or compromised container can threaten the entire host; defense-in-depth across every layer is essential. Shift-left practices (scanning images at build time, enforcing policies in CI/CD) reduce risk dramatically before code ever reaches production. The landscape has matured significantly in 2025–2026: Kubernetes Pod Security Admission is now the standard gatekeeper, eBPF-based runtime enforcement has gone mainstream, supply chain attestations (SLSA, VEX) are table-stakes for production images, and AI/LLM workloads introduce an entirely new threat surface.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 155 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Image Vulnerability Scanning
The first line of defense is knowing what's actually inside your images — every base layer and dependency drags along its own CVEs. These scanners (Trivy, Grype, Docker Scout, Snyk, and the registry-side options) inspect OS packages and language libraries against vulnerability databases, and the smartest of them lean on VEX data to suppress CVEs that aren't actually exploitable in your context. Wire one into CI to fail the pipeline on HIGH and CRITICAL findings and vulnerabilities never reach production in the first place.
| Tool | Example | Description |
|---|---|---|
trivy image nginx:latest | • Comprehensive scanner covering OS packages, language libraries, IaC, secrets, SBOMs, and VEX filtering • fastest scanner for CI/CD pipelines. | |
grype nginx:latest | • Anchore's vulnerability scanner • pairs with Syft for SBOM-driven scanning • supports VEX suppression via --vex flag. | |
docker scout cves nginx:latest | • Built into Docker Desktop and CLI • shows fix recommendations and policy compliance • integrates with Docker Hub. | |
snyk container test nginx:latest | • Developer-friendly scanner with IDE and CI plugins • surfaces base-image upgrade suggestions to reduce CVE counts. |