{"id":103164,"date":"2025-08-25T16:58:19","date_gmt":"2025-08-25T14:58:19","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=learn&#038;p=103164"},"modified":"2025-08-25T16:58:20","modified_gmt":"2025-08-25T14:58:20","slug":"docker-container-security-best-practices-image-scanning-is-non-negotiable","status":"publish","type":"learn","link":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/","title":{"rendered":"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable"},"content":{"rendered":"<p>Docker Hub may look like a developer&#8217;s candy store, but it&#8217;s also a minefield packed with unvetted software artifacts. Each image, whether official or community-contributed, may contain hundreds of known vulnerabilities, embedded malware, outdated components, or default misconfigurations. Even well-meaning developers often push images that include hardcoded secrets, shell tools, package managers, and unused libraries. In other words, elements that widen the attack surface.<\/p>\n\n\n\n<p><br>In fact, this isn\u2019t theoretical. In 2024, researchers uncovered over <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/malicious-containers-found-docker\/\">3 million malicious or typosquatted repositories<\/a> on Docker Hub, many disguised to look like legitimate sources. These weren\u2019t obscure listings either; some had been downloaded tens of thousands of times. We\u2019ve reached a point where the ecosystem itself has become a vector, and AppSec teams can no longer assume that popular or &#8220;official-looking&#8221; images are safe. This reality only reinforces the case for integrating container scanning into every stage of your pipeline.<\/p>\n\n\n\n<p><br>This means that vulnerabilities can travel frictionlessly from local builds to production clusters. Without guardrails, developers may pull images directly from Docker Hub into staging or even production environments without adequate inspection.<\/p>\n\n\n\n<p><br>This is why proactive <a href=\"https:\/\/checkmarx.com\/product\/container-security\/\">Docker container security<\/a> is not just important, it&#8217;s foundational. And it has to start with image scanning. Scanning is the first and best opportunity to catch critical risks before containers go live, when remediation is fast, low-risk, and automatable. If you&#8217;re not inspecting images at the moment they&#8217;re introduced, you&#8217;re inheriting third-party code from unknown sources. And that&#8217;s simply too big a risk.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">\n<br><strong>Why Docker Container Security Demands Vigilance<\/strong>\n<\/h2>\n\n\n\n<p><br><a href=\"https:\/\/checkmarx.com\/glossary\/docker\/\">Docker<\/a> has become foundational to modern software development, offering consistent, scalable environments that accelerate everything from developer onboarding to CI\/CD automation. Containers ensure parity across dev, staging, and production by encapsulating dependencies, configurations, and application logic into a single portable unit. But while this packaging solves deployment drift and simplifies infrastructure, it also collapses the boundary between application code and infrastructure risk.<\/p>\n\n\n\n<p><br>The speed and consistency of Docker can create a false sense of security. When developers pull base images from Docker Hub to spin up environments quickly, they may unknowingly include outdated packages, vulnerable libraries, or unnecessary tools\u2014all without visibility or governance.<\/p>\n\n\n\n<p><br>For example, a development team might build a microservice on top of an outdated python:3.7 image because it &#8220;just works.&#8221; That image could contain dozens of unpatched CVEs, including known remote code execution flaws in bundled system packages. Unless the team is actively scanning and rebuilding their base image regularly, that microservice ships with latent risk baked in.<\/p>\n\n\n\n<p><br>Security teams need to acknowledge this trade-off. Docker improves delivery velocity, but without early intervention, it also accelerates the spread of vulnerabilities. The ability to identify and remediate issues at the image level\u2014before containers are deployed\u2014is what separates secure pipelines from those that unknowingly push risk into production.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">\n<br><strong>Containers May Feel Ephemeral, But They Introduce Real, Persistent Risk<\/strong>\n<\/h2>\n\n\n\n<p><br>While containers are often perceived as lightweight and short-lived, the risks they introduce can be deep and long-lasting. Each container is built from an image that may be reused hundreds or thousands of times across development, staging, and production environments. That means a single overlooked vulnerability in a base image can scale rapidly, affecting multiple services and applications.<\/p>\n\n\n\n<p><br>Here are just a few reasons why container risks persist\u2014and why early detection is essential:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Every base image is a dependency.<\/strong> Even official images can carry outdated libraries or unpatched CVEs. For instance, an image built on ubuntu:18.04 might contain aging OpenSSL or glibc versions with known vulnerabilities. Without regular scanning and controlled base image versioning, these weaknesses travel undetected into every downstream container, introducing risk at scale. Vulnerabilities in system-level packages, even if not used directly by the application, can be exploited via chained attacks that target the underlying OS layer.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Attackers know how to hide in plain sight.<\/strong> Typosquatted repos and lookalike images on Docker Hub are designed to trick developers into pulling malicious content. For example, an attacker might upload a repo named node-official that mimics the popular node image but includes a cryptominer or a backdoor. These images often have realistic Dockerfile structures and documentation, making them hard to distinguish from legitimate sources without automated scanning and signature verification. Once pulled, these malicious images can silently exfiltrate environment variables, log keystrokes, or open reverse shells.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Misconfigured containers multiply risks.<\/strong> An exposed port, an elevated privilege flag, or an overly permissive volume mount can all become exploit vectors. A container running with the &#8211;privileged flag, for example, can access host resources far beyond what is necessary. Similarly, binding a container port directly to 0.0.0.0 instead of localhost (127.0.0.1) may expose internal services to the public internet. If runtime hardening isn\u2019t enforced\u2014like dropping Linux capabilities or running as non-root\u2014attackers can use these openings to escalate privileges, move laterally across a cluster, or persist undetected.<\/li>\n<\/ul>\n\n\n\n<p><br>Docker containers are widely used to package application code along with its dependencies. But when those dependencies come from public repositories or stale base images, you\u2019re effectively importing someone else&#8217;s security debt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">\n<br><strong>Docker Image vs Container: Understanding the Risk Surface<\/strong>\n<\/h2>\n\n\n\n<p><br>It helps to clarify the distinction between a Docker image and a container because security controls, risk exposure, and mitigation strategies differ significantly between the two. Confusing these assets can lead to misaligned protections or missed vulnerabilities.<\/p>\n\n\n\n<p><br>Contrasting Docker image vs container allows AppSec teams to focus controls where they are most effective, including image scanning before deployment and runtime hardening once containers are in operation. This context is crucial when building a secure container pipeline that integrates with the broader application security strategy.<\/p>\n\n\n\n<p><br>Simply put, the differences look like this:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>Docker image<\/strong> is a static, read-only snapshot of your application and its environment. Think of it as the blueprint.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>container<\/strong> is a runtime instance of that image, complete with state and processes. It\u2019s the running application.<\/li>\n<\/ul>\n\n\n\n<p><br>Security must begin at the image level, before containers are ever deployed. Image scanning is your first and best line of defense against inherited vulnerabilities, exposed secrets, and embedded malware. Without it, you&#8217;re essentially building your application on uninspected, third-party infrastructure.<\/p>\n\n\n\n<p><br>Imagine deploying a container based on a compromised image containing a vulnerable version of libssl or an outdated Java runtime. Even if you apply runtime restrictions, enforce seccomp profiles, or run containers as non-root, the underlying exploit remains present and potentially reachable. Runtime controls can detect or contain an attack\u2014but they can\u2019t remove a flaw that&#8217;s already in the base image.<\/p>\n\n\n\n<p><br>This is why image scanning must be treated as a gating requirement in your CI\/CD pipeline. It ensures that every containerized workload starts from a verified, minimal, and hardened foundation. Skip this step, and you&#8217;re leaving your entire AppSec strategy resting on a brittle, unverified layer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\"><strong>What Docker Containers Are Used For (and Why That Matters)<\/strong><\/h2>\n\n\n\n<p><br>Docker container software is used to support the fast, repeatable, and scalable delivery of applications across multiple environments. They enable developers and platform teams to package code and all its dependencies into isolated, portable units that behave consistently across dev, staging, and production. This model dramatically simplifies software deployment and infrastructure management, but it also introduces specific security concerns at each lifecycle stage.<\/p>\n\n\n\n<p><br>Before we dive into container security best practices, it&#8217;s important to understand what containers are typically used for and why that makes them such a high-value target. From a security perspective, these common use cases expose containers to threats like privilege escalation, lateral movement, and supply chain compromise.<\/p>\n\n\n\n<p><br>Let\u2019s walk through what Docker containers are typically used for, and how those use cases shape the risk landscape:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Isolate application services for microservice architectures: <\/strong>Containers make it easy to deploy and manage individual services independently. For example, a frontend container can scale or restart without affecting backend services. This isolation also reduces the blast radius of potential vulnerabilities.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Accelerate CI\/CD pipelines: <\/strong>Docker images can be reused across test, staging, and production, speeding up automated testing and deployment. But if a vulnerable base image slips in early, it can quietly persist across environments. An outdated Python image with CVEs might make it through the pipeline unless scanned.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Ensure consistent environments across dev, staging, and production: <\/strong>Containers standardize runtime environments, reducing drift. But consistency without scanning still spreads risk. A vulnerable image used everywhere is still vulnerable everywhere.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Package and deploy applications in cloud-native environments:<\/strong> Containers are the unit of deployment in Kubernetes and other cloud-native platforms. They enable fast scaling and updates, but also expand your attack surface. A misconfigured container could expose an entire namespace if not secured end-to-end.<\/li>\n<\/ul>\n\n\n\n<p><br>Each of these use cases represents a high-impact, security-sensitive scenario where the consequences of compromise extend far beyond a single application. Let\u2019s break down what\u2019s at stake:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A microservice running in a container could be compromised via a vulnerable image layer, exposing the rest of the cluster if lateral movement controls aren\u2019t in place.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A CI\/CD pipeline that isn\u2019t enforcing image scanning could introduce known vulnerabilities into every deployed environment.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A &#8220;consistent&#8221; container image could consistently expose the same security flaw in dev, staging, and production.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A cloud-native deployment might scale out containers with exposed secrets or elevated privileges, magnifying the blast radius.<\/li>\n<\/ul>\n\n\n\n<p>In other words, docker container software isn\u2019t just infrastructure plumbing. It\u2019s part of your application security posture. Treat it accordingly.<\/p>\n\n\n<section class=\"section-block-info light-theme\">\n    <div class=\"main-wrapper block-info__wrapper\">\n        <div class=\"block-info center\">\n\t\t\t\n\t\t\t<h2 class=\"section-title article-anchor\" id=\"article-anchor-5\">Security at the container level is not optional anymore. It\u2019s foundational.<\/h2>\t\t\t<p class=\"section-description\">Discover how Checkmarx can help you enforce Docker container security at scale.<\/p>\n\t\t\t<div class=\"actions\">\n\t\t\t\t        <a href=\"https:\/\/checkmarx.com\/product\/container-security\/#demo\" class=\"btn btn-2 btn-bg white demo\">Book your demo<\/a>\n        \t\t\t\t\t\t\t<\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\"><strong>Docker vs. Kubernetes: Complementary Roles, Distinct Security Priorities<\/strong><\/h2>\n\n\n\n<p>As teams embrace containerization, it&#8217;s common to hear Docker and Kubernetes mentioned in the same breath. But while they work together, their roles are distinct\u2014and so are their security responsibilities.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Docker<\/strong> is a platform for building and running containers. It handles packaging, distribution, and container lifecycle management on a single host or in simple environments.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Kubernetes<\/strong> is an orchestration system designed to deploy, scale, and manage containers across clusters of machines.<\/li>\n<\/ul>\n\n\n\n<p>Security in Docker centers on image integrity, dependency hygiene, and container runtime hardening. In Kubernetes, the focus shifts to access controls (RBAC), network segmentation (NetworkPolicies), pod security standards, and secure secret management.<\/p>\n\n\n\n<p><br>The two must work in tandem. Kubernetes can\u2019t secure what Docker introduces\u2014so if your container image is compromised, orchestration won\u2019t save you. That\u2019s why it\u2019s critical to start security with Docker image scanning before layering on Kubernetes-native protections.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\"><strong>Best Practices for Docker Container Security<\/strong><\/h2>\n\n\n\n<p>Securing your container ecosystem starts with hardening your images and enforcing hygiene throughout the SDLC. Containers are built to move fast, but without checks in place, they spread risk just as efficiently. Left unaddressed, one vulnerable image can scale across environments, replicate weaknesses in staging and prod, or introduce threats into orchestrated platforms like Kubernetes.<\/p>\n\n\n\n<p><br>Your baseline defense must begin with the image itself. That\u2019s why it\u2019s crucial to follow these <a href=\"https:\/\/checkmarx.com\/learn\/container-security\/best-practices\/\">best practices<\/a>:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. Scan Every Image, Every Time<\/strong><\/h3>\n\n\n\n<p>Image scanning is non-negotiable. Make it a required step in CI\/CD pipelines:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Use automated scanners<\/strong> that identify known CVEs, malware, and misconfigurations<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scan both base images and custom-built layers<\/strong><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Fail builds or block deployments<\/strong> if critical vulnerabilities are found<\/li>\n\n\n\n<li>With Checkmarx, container image scanning is integrated directly into your development workflows\u2014from build to runtime.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. Pin Base Image Versions and Rebuild Regularly<\/strong><\/h3>\n\n\n\n<p>Avoid using latest tags. Pin exact versions and set schedules for rebuilding:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rebuilding ensures you pick up patches in base images<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scanning ensures new vulnerabilities haven\u2019t crept in<\/li>\n<\/ul>\n\n\n\n<p>Even if your app code hasn&#8217;t changed, your dependencies have a lifecycle.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Remove Unused Packages and Minimize Image Size<\/strong><\/h3>\n\n\n\n<p>Slim images reduce the attack surface:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start from minimal base images (e.g., alpine)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remove compilers, shells, and package managers after build<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use multi-stage builds to separate build-time and runtime dependencies<\/li>\n<\/ul>\n\n\n\n<p>Fewer layers = fewer opportunities for attackers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4. Use Trusted Registries and Signed Images<\/strong><\/h3>\n\n\n\n<p>Always pull from trusted, verified sources:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Docker Content Trust (DCT) to verify image signatures<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Host critical images in private, access-controlled registries<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor Docker Hub for typosquatting or impersonation threats<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5. Enforce Container Runtime Security Controls<\/strong><\/h3>\n\n\n\n<p>Once your image is running as a container, additional controls apply:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Drop unnecessary capabilities (e.g., &#8211;cap-drop all)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run as a non-root user<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set resource limits (&#8211;memory, &#8211;cpu-shares)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use seccomp, AppArmor, or SELinux profiles<\/li>\n<\/ul>\n\n\n\n<p>Container runtime security isn\u2019t a substitute for image scanning\u2014it\u2019s a second line of defense.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6. Continuously Monitor and Patch<\/strong><\/h3>\n\n\n\n<p>New CVEs emerge daily. Build a process to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuously rescan images in registries<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trigger alerts or rebuilds for newly discovered vulnerabilities<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Retire or quarantine vulnerable images<\/li>\n<\/ul>\n\n\n\n<p>Checkmarx helps teams stay ahead by linking container security scanning with the broader AppSec program\u2014not just treating it as an isolated task.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-8\"><strong>Stay Ahead of the Threat: Checkmarx Makes Image Scanning Part of Your SDLC<\/strong><\/h2>\n\n\n\n<p>Image scanning should be as routine as unit testing. By embedding it directly into your CI\/CD process, you prevent vulnerable or malicious containers from reaching production in the first place.<\/p>\n\n\n\n<p><br>Checkmarx takes a comprehensive approach to docker container security. We don\u2019t just scan images in isolation\u2014we connect them to the broader AppSec picture.\u00a0<\/p>\n\n\n\n<p><br>Our approach is built to integrate seamlessly into the modern DevSecOps pipeline. The Checkmarx platform:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scans images during build and deploy phases<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Flags vulnerable or untrusted layers before containers are created<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Aligns container scanning with SAST, SCA, and secrets detection to deliver holistic application security<\/li>\n<\/ul>\n\n\n\n<p>This end-to-end visibility helps teams shift left without slowing down, ensuring that container security is built into development, not bolted on after deployment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-9\"><strong>Scanned Images are Safe Images<\/strong><\/h2>\n\n\n\n<p>We can\u2019t take trust at face value anymore. Not when even top-ranked Docker images are riddled with vulnerabilities. Not when bad actors are flooding public repos with malicious lookalikes.<\/p>\n\n\n\n<p><br>Every base image is part of your supply chain. If you\u2019re not scanning it, you\u2019re not securing it. This is where Checkmarx helps teams stay ahead, by embedding image scanning directly into your CI\/CD workflows and tying container insights into your broader AppSec program.\u00a0<\/p>\n\n\n\n<p><br>From detecting vulnerable packages to flagging exposed secrets, we give you the visibility and control needed to ship containers confidently and securely.<\/p>\n\n\n<section class=\"section-block-info light-theme\">\n    <div class=\"main-wrapper block-info__wrapper\">\n        <div class=\"block-info center\">\n\t\t\t\n\t\t\t<h2 class=\"section-title article-anchor\" id=\"article-anchor-10\">Ready to dig deeper into container security best practices, tools, and integrations?<\/h2>\t\t\t<p class=\"section-description\">Stay ahead of evolving threats with expert insights on container security. Explore best practices, tools, and integrations designed to help DevSecOps teams secure every stage of the container lifecycle.<\/p>\n\t\t\t<div class=\"actions\">\n\t\t\t\t        <a href=\"https:\/\/checkmarx.com\/learn\/container-security\/\" class=\"btn btn-2 btn-bg white demo\">Explore our Container Security Learning Hub<\/a>\n        \t\t\t\t\t\t\t<\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<p><br><\/p>","protected":false},"author":141,"featured_media":103165,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":true,"footnotes":""},"learn-cat":[864],"class_list":["post-103164","learn","type-learn","status-publish","has-post-thumbnail","hentry","learn-cat-container-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Docker Container Security Best Practices: Image Scanning Is Non-Negotiable<\/title>\n<meta name=\"description\" content=\"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable\" \/>\n<meta property=\"og:description\" content=\"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-25T14:58:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\"},\"author\":{\"name\":\"Emma Datny\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc\"},\"headline\":\"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable\",\"datePublished\":\"2025-08-25T14:58:19+00:00\",\"dateModified\":\"2025-08-25T14:58:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\"},\"wordCount\":2354,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\",\"url\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\",\"name\":\"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp\",\"datePublished\":\"2025-08-25T14:58:19+00:00\",\"dateModified\":\"2025-08-25T14:58:20+00:00\",\"description\":\"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp\",\"width\":1200,\"height\":600,\"caption\":\"Illustration representing docker container security with the Docker logo connected to shield and warning icons, symbolizing protection and vulnerability scanning.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc\",\"name\":\"Emma Datny\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg\",\"caption\":\"Emma Datny\"},\"sameAs\":[\"https:\/\/checkmarx.com\/\"],\"url\":\"https:\/\/checkmarx.com\/author\/emma_datny\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable","description":"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/","og_locale":"en_US","og_type":"article","og_title":"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable","og_description":"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.","og_url":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2025-08-25T14:58:20+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/"},"author":{"name":"Emma Datny","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc"},"headline":"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable","datePublished":"2025-08-25T14:58:19+00:00","dateModified":"2025-08-25T14:58:20+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/"},"wordCount":2354,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/","url":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/","name":"Docker Container Security Best Practices: Image Scanning Is Non-Negotiable","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp","datePublished":"2025-08-25T14:58:19+00:00","dateModified":"2025-08-25T14:58:20+00:00","description":"Discover why image scanning is non-negotiable for Docker container security. Learn best practices to block vulnerabilities before containers reach production.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/learn\/container-security\/docker-container-security-best-practices-image-scanning-is-non-negotiable\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/July-B3-Docker-Doesnt-Care-About-Security.webp","width":1200,"height":600,"caption":"Illustration representing docker container security with the Docker logo connected to shield and warning icons, symbolizing protection and vulnerability scanning."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc","name":"Emma Datny","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg","caption":"Emma Datny"},"sameAs":["https:\/\/checkmarx.com\/"],"url":"https:\/\/checkmarx.com\/author\/emma_datny\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn\/103164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/learn"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/141"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn\/103164\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/103165"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=103164"}],"wp:term":[{"taxonomy":"learn-cat","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn-cat?post=103164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}