Configure container security scanning to identify vulnerabilities, misconfigurations, and compliance issues in container images and their components. Container scanning analyzes container images, base operating systems, installed packages, and application dependencies to detect security risks before deployment. Before you begin, ensure you have container images built and accessible, and the necessary permissions to configure security scanning tools.
Choose your container scanning approach
CloudBees Unify supports both implicit scanning through application security posture management (ASPM) and explicit workflow scanning for container security analysis.
To choose the right approach:
-
Determine your scanning needs:
-
Choose implicit scanning for automatic analysis of container images during build and deployment processes.
-
Choose explicit scanning for targeted container analysis with specific configuration control and custom timing.
-
-
Identify your container registry and image requirements:
-
Ensure container images are accessible for scanning from your registry.
-
Consider scanning timing in your build and deployment pipeline to optimize performance.
-
Verify network access allows scanning tools to reach your container registries.
-
Your approach determines which configuration steps to follow in the subsequent sections.
Configure implicit container scanning
Implicit container scanning integrates with ASPM to provide automatic security analysis of container images as they are built and stored.
| You must have ASPM enabled for your organization and the Manage security tools permission to configure implicit container scanning. |
To configure implicit container scanning:
-
Navigate to in your organization.
-
Filter the available tools by container scanning category or search for container scanner names.
-
Select and activate your chosen container scanner(s) from the available implicit scanners:
-
Grype: Vulnerability scanner for container images and file systems with comprehensive database coverage.
-
Trivy: Fast comprehensive container scanning with vulnerability detection, secret scanning, and misconfiguration analysis.
The system activates the selected scanners for automatic analysis of container images in your organization.
-
-
Configure scanner-specific settings if required:
-
Access individual scanner configuration through the Marketplace interface.
-
Set vulnerability severity thresholds and reporting preferences.
-
Configure scanning scope and exclusion patterns as needed.
Implicit container scanning automatically triggers when container images are built or updated within your CloudBees Unify workflows.
-
Once configured, implicit scanning provides continuous container security monitoring without requiring workflow modifications.
Configure explicit workflow container scanning
Explicit workflow container scanning provides granular control over when and how container security analysis runs within your CloudBees Unify workflows.
To configure explicit workflow container scanning:
-
Add container scanning actions to your workflow YAML file in appropriate job steps. Available explicit container scanners include:
-
Anchore: Comprehensive container image security analysis with detailed vulnerability assessment.
-
Aqua Security: Enterprise container security with advanced threat detection and compliance monitoring.
-
JFrog Xray: Artifact-focused container security analysis integrated with DevSecOps workflows.
-
Snyk Container: Developer-friendly container security analysis with detailed remediation guidance.
-
Nexus IQ Container: Enterprise container security with policy enforcement and governance capabilities.
-
Trivy: Fast comprehensive container scanning (also available as implicit scanner).
-
-
Configure scanner authentication and container access:
-
Create the required secrets in your CloudBees Unify organization or component settings for API keys, tokens, and registry credentials.
-
Set up container registry access ensuring scanners can reach your images.
-
Configure image location parameters with full registry paths and tags.
Common authentication patterns include:
-
API key authentication: Most container scanners require API tokens stored as secrets.
-
Registry credentials: Container registries may require separate authentication for image access.
-
Server URL configuration: Enterprise scanners often require custom server endpoints.
-
-
-
Customize scan parameters for your containers:
-
Define image scanning scope and vulnerability severity thresholds appropriate for your security requirements.
-
Configure base image and dependency analysis depth to balance thoroughness with performance.
-
Set up policy enforcement rules and compliance checking based on organizational security standards.
Example container scanning configuration:
- name: Scan with Snyk Container uses: https://github.com/cloudbees-io/snyk-scan-container@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} image-location: "your-registry/your-image:latest"
-
| Container scanning can significantly impact build times depending on image size and scanner configuration. Test scan duration and adjust timeout settings accordingly. |
Manage container scan timing and pipeline integration
Container scanning requires coordination with your build and deployment pipeline to ensure efficient and effective security analysis.
To integrate container scanning effectively:
-
Schedule container scans at appropriate pipeline stages:
-
Scan after successful image builds but before deployment to production environments.
-
Consider scanning both during development builds and release candidate preparation.
-
Use pipeline dependencies to ensure proper sequencing without blocking critical paths.
-
-
Configure appropriate scan timing and performance:
-
Set realistic timeout values based on your typical image sizes and complexity.
-
Account for scanner startup times and network latency to container registries.
-
Consider parallel scanning of multiple images to optimize overall pipeline duration.
-
-
Handle scan results and pipeline decisions:
-
Define vulnerability severity thresholds that determine build success or failure.
-
Configure notifications for security teams when critical vulnerabilities are discovered.
-
Implement automated remediation triggers for common vulnerability patterns when possible.
-
Review and manage container findings
Container security findings require specialized understanding of image layers, base operating systems, and dependency management for effective remediation.
To review container findings:
-
Access scan results through the CloudBees Unify Security Center:
-
Navigate to in your organization.
-
Filter findings by scanner type and container-specific vulnerability categories.
-
-
Understand container-specific finding types and prioritization:
-
Base image vulnerabilities that affect the underlying operating system.
-
Application dependency vulnerabilities in installed packages and libraries.
-
Configuration issues and security misconfigurations in container setup.
-
Exposed secrets, credentials, or sensitive information embedded in image layers.
-
-
Coordinate with development and operations teams for effective container security management:
-
Share findings with development teams for dependency updates and image rebuilds.
-
Work with operations teams on base image selection and container deployment policies.
-
Prioritize remediation based on container exposure, criticality, and deployment environments.
-
Track remediation progress through integrated vulnerability management workflows.
-
For detailed guidance on findings management, refer to Triage security findings.