Detecting Vulnerabilities with Image Security Scanning
Image scanners work by inspecting images and searching for packages that have known vulnerabilities. Once you know about these, you can update the packages and dependencies to versions with fixes.
As good as image scanning is, it’s important to understand its limitations.
Image scanning is focused on images and does not detect security problems with networks, nodes, or orchestrators.
Not all image scanners are equal; some perform deep binary-level scanning to detect packages, whereas others simply look at package names and do not closely inspect the content of images.
At the time of writing, Docker Hub does not offer image scanning services. This may change in the future. Some on-premises private registry solutions offer built-in scanning, and there are third-party services that offer image scanning services.
The figures below are included as an example of the kind of reports image scanners can provide.