Practice vocabulary for container image scanning: CVEs, base image vulnerabilities, scanning tools, distroless images, SBOMs, and image digests.
0 / 5 completed
1 / 5
What is 'container image scanning' in a CI/CD pipeline?
Container image scanning inspects every layer of a built container image — OS packages, language runtimes, libraries — and checks them against CVE (Common Vulnerabilities and Exposures) databases. This happens in CI after the image is built, before it is pushed to a registry or deployed. Tools include Trivy, Grype, Snyk Container, and Clair.
2 / 5
What is a 'base image vulnerability' and why does it matter?
Most container images start FROM a base image (e.g., ubuntu:22.04, node:20-alpine, python:3.12-slim). If the base image contains unpatched CVEs, every image built from it inherits those vulnerabilities. Keeping base images updated and preferring minimal bases (alpine, distroless) reduces the inherited attack surface significantly.
3 / 5
What is a 'distroless' container image?
Distroless images (pioneered by Google) contain only what the application needs to run — no bash, no apt, no curl, no unused libraries. With no shell and no package manager present, an attacker who achieves code execution has far fewer tools available. They also dramatically reduce the number of CVEs present, since fewer packages are installed. Example: gcr.io/distroless/java.
4 / 5
What is the difference between an 'image tag' and an 'image digest'?
Image tags are convenient labels but mutable: pushing a new image with the same tag silently changes what it points to. Image digests are SHA-256 hashes of the image manifest — pinning to a digest (e.g., nginx@sha256:abc...) guarantees you always get exactly the same image, preventing supply-chain attacks where a tag is silently replaced with a malicious image.
5 / 5
What is an SBOM (Software Bill of Materials) for a container image?
An SBOM (Software Bill of Materials) is a machine-readable inventory of all software components in an artefact. For containers, it lists OS packages, language libraries, and their versions. SBOMs enable continuous vulnerability scanning (new CVEs can be checked against existing SBOMs without rebuilding), licence compliance checks, and supply chain audits. Formats include CycloneDX and SPDX. Tools: Syft, Docker Scout, Grype.