Container Image Scanning: Finding and Managing Vulnerabilities

Calendar February 22, 2026
Kubernetes
Intermediate
Vulnerability-Scanning, Ci-Cd-Security, Policy-Enforcement
Image-Scanning, Trivy, Grype, Cve, Vulnerability-Management, Admission-Controllers
Trivy, Grype, Snyk, Kyverno, Opa-Gatekeeper

Container Image Scanning#

Every container image you deploy carries an operating system, libraries, and application dependencies. Each of those components can have known vulnerabilities. Image scanning compares the packages in your image against databases of CVEs (Common Vulnerabilities and Exposures) and tells you what is exploitable.

Scanning is not optional. It is a baseline hygiene practice that belongs in every CI pipeline.

How CVE Databases Work#

Scanners pull vulnerability data from multiple sources: the National Vulnerability Database (NVD), vendor-specific feeds (Red Hat, Debian, Alpine, Ubuntu security trackers), and language-specific advisory databases (GitHub Advisory Database for npm/pip/go). Each CVE has a severity rating based on CVSS scores:

Pod Security Standards: Admission Control and Secure Pod Configuration

Calendar February 22, 2026
Security
Intermediate
Pod-Security-Configuration, Admission-Control-Setup, Security-Context-Hardening, Policy-Engine-Deployment
Pod-Security, Psa, Security-Context, Opa-Gatekeeper, Kyverno, Admission-Control
Kubectl, Opa-Gatekeeper, Kyverno

Pod Security Standards#

Kubernetes Pod Security Standards define three security profiles that control what pods are allowed to do. Pod Security Admission (PSA) enforces these standards at the namespace level. This is the replacement for PodSecurityPolicy, which was removed in Kubernetes 1.25.

The Three Levels#

Privileged – Unrestricted. No security controls applied. Used for system-level workloads like CNI plugins, storage drivers, and logging agents that genuinely need host access.

Baseline – Prevents known privilege escalations. Blocks hostNetwork, hostPID, hostIPC, privileged containers, and most host path mounts. Allows most workloads to run without modification.