Bird
Raised Fist0
Kubernetesdevops~10 mins

Image security scanning in Kubernetes - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Image security scanning
Start: New Container Image
Trigger Scan on Image
Scan Image for Vulnerabilities
Report Vulnerabilities Found?
NoApprove Image
Yes
Block or Alert
Deploy or Reject Image
The flow starts with a new container image, triggers a scan, checks for vulnerabilities, then either approves or blocks deployment based on scan results.
Execution Sample
Kubernetes
kubectl create deployment myapp --image=myapp:v1
kubectl scan image myapp:v1
# Scan reports vulnerabilities
kubectl rollout status deployment/myapp
This sequence deploys an app, scans its image for vulnerabilities, and checks deployment status.
Process Table
StepActionCommand/CheckResultNext Step
1Create deployment with imagekubectl create deployment myapp --image=myapp:v1Deployment created with image myapp:v1Trigger image scan
2Trigger image scankubectl scan image myapp:v1Scan started for image myapp:v1Scan completes
3Scan completesScan engine analyzes image layersVulnerabilities found: 3 critical, 5 mediumBlock deployment and alert
4Block deploymentPolicy enforcementDeployment paused, alert sent to teamWait for image fix
5Fix image and re-scankubectl scan image myapp:v1-fixedNo vulnerabilities foundApprove deployment
6Approve deploymentkubectl rollout status deployment/myappDeployment successfulEnd
💡 Deployment approved only after image passes security scan with no critical vulnerabilities.
Status Tracker
VariableStartAfter Step 2After Step 3After Step 5Final
image_statusNot scannedScanningVulnerabilities foundNo vulnerabilitiesApproved
deployment_statusNot createdCreatedBlockedPending approvalDeployed
Key Moments - 3 Insights
Why does the deployment get blocked after the scan?
Because the scan found critical vulnerabilities (see execution_table step 3), the policy blocks deployment to keep the system safe.
What happens if no vulnerabilities are found?
The deployment is approved and proceeds (see execution_table step 5 and 6), allowing the app to run safely.
Can deployment proceed before scanning?
No, scanning is mandatory before deployment to ensure security (see execution_table step 2 and 3).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the image_status after step 3?
AScanning
BVulnerabilities found
CNo vulnerabilities
DApproved
💡 Hint
Check the variable_tracker row for image_status after step 3.
At which step does the deployment get blocked due to vulnerabilities?
AStep 2
BStep 3
CStep 4
DStep 5
💡 Hint
Look at execution_table action and result columns around deployment status.
If the scan found no vulnerabilities at step 3, what would be the next step?
AApprove deployment
BBlock deployment and alert
CFix image and re-scan
DCreate deployment
💡 Hint
Refer to execution_table steps 3 and 5 for flow after scan results.
Concept Snapshot
Image security scanning in Kubernetes:
- Deploy container image
- Trigger scan on image
- Scan checks for vulnerabilities
- If critical found, block deployment
- Fix image and re-scan
- Approve deployment if clean
- Ensures only safe images run
Full Transcript
Image security scanning in Kubernetes starts when a new container image is deployed. The system triggers a scan that checks the image layers for vulnerabilities. If critical vulnerabilities are found, deployment is blocked and alerts are sent. The image must be fixed and rescanned. Once no vulnerabilities remain, the deployment is approved and the application runs safely. This process protects the system by ensuring only secure images are deployed.

Practice

(1/5)
1. What is the main purpose of image security scanning in Kubernetes?
easy
A. To find vulnerabilities in container images before deployment
B. To increase the size of container images
C. To speed up the container startup time
D. To monitor network traffic between containers

Solution

  1. Step 1: Understand image security scanning

    Image security scanning checks container images for security issues like vulnerabilities.

  2. Step 2: Identify the main goal

    The goal is to find and fix vulnerabilities before deploying containers to keep apps safe.

  3. Final Answer:

    To find vulnerabilities in container images before deployment -> Option A

  4. Quick Check:

    Image scanning = find vulnerabilities [OK]
Hint: Image scanning finds security holes before use [OK]
Common Mistakes:
  • Confusing scanning with performance tuning
  • Thinking it monitors network traffic
  • Believing it changes image size
2. Which command correctly scans a Docker image named myapp:latest using Trivy?
easy
A. trivy myapp:latest scan
B. trivy scan myapp:latest
C. trivy image myapp:latest
D. trivy scan image myapp

Solution

  1. Step 1: Recall Trivy scan syntax

    The correct command to scan an image is trivy image <image-name>.

  2. Step 2: Match the command with options

    trivy image myapp:latest matches the correct syntax exactly.

  3. Final Answer:

    trivy image myapp:latest -> Option C

  4. Quick Check:

    Trivy scan command = trivy image [OK]
Hint: Use 'trivy image' to scan images [OK]
Common Mistakes:
  • Using 'trivy scan' instead of 'trivy image'
  • Placing 'scan' after image name
  • Omitting the 'image' keyword
3. What will be the output of the command trivy image alpine:3.15 if the image has no vulnerabilities?
medium
A. No vulnerabilities detected, image is safe
B. Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
C. Error: image not found
D. Vulnerabilities found: 0

Solution

  1. Step 1: Understand Trivy output for clean images

    When no vulnerabilities are found, Trivy outputs a table ending with Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0).

  2. Step 2: Compare options with expected output

    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) matches the typical Trivy message for no vulnerabilities.

  3. Final Answer:

    Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) -> Option B

  4. Quick Check:

    No vulnerabilities message = Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) [OK]
Hint: Look for 'Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)' in scan output [OK]
Common Mistakes:
  • Expecting a numeric count output
  • Confusing error messages with success
  • Assuming 'no vulnerabilities' means error
4. You run trivy image myapp:latest but get an error: ERROR: unable to find image. What is the likely cause?
medium
A. The image name is misspelled or does not exist locally
B. Trivy is not installed correctly
C. The Kubernetes cluster is down
D. The Docker daemon is running

Solution

  1. Step 1: Analyze the error message

    The error 'unable to find image' means Trivy cannot locate the specified image locally or remotely.

  2. Step 2: Identify common causes

    Most often, this happens if the image name is wrong or the image is not pulled yet.

  3. Final Answer:

    The image name is misspelled or does not exist locally -> Option A

  4. Quick Check:

    Image not found error = wrong image name [OK]
Hint: Check image name spelling and availability [OK]
Common Mistakes:
  • Blaming Kubernetes cluster status
  • Assuming Trivy installation issue
  • Ignoring image presence locally
5. You want to automate image scanning in your Kubernetes CI/CD pipeline using Trivy. Which approach is best to ensure images are scanned before deployment?
hard
A. Only scan images once a month regardless of deployment
B. Scan images manually after deployment to production
C. Ignore scanning if images come from trusted sources
D. Add a pipeline step that runs trivy image <image> and fails if vulnerabilities are found

Solution

  1. Step 1: Understand CI/CD pipeline best practices

    Automated scanning before deployment helps catch vulnerabilities early and prevents unsafe images from running.

  2. Step 2: Evaluate options for automation

    Add a pipeline step that runs trivy image <image> and fails if vulnerabilities are found. This integrates scanning into the pipeline and blocks deployment if issues exist, which is best practice.

  3. Final Answer:

    Add a pipeline step that runs trivy image <image> and fails if vulnerabilities are found -> Option D

  4. Quick Check:

    Automate scanning pre-deployment = Add a pipeline step that runs trivy image <image> and fails if vulnerabilities are found [OK]
Hint: Scan images in pipeline and fail on vulnerabilities [OK]
Common Mistakes:
  • Scanning only after deployment
  • Ignoring scans for trusted images
  • Scanning too infrequently