Commonly used tools for image vulnerability scanning include:
Trivy - An open-source vulnerability scanner that detects vulnerabilities in container images, file systems, and Git repositories. It supports multiple operating systems and package managers.
Example: Scan a Docker image with trivy image <image-name>.
Clair - An open-source project by CoreOS for static analysis of vulnerabilities in appc and Docker containers. It provides a REST API for integration.
Example: Clair can be deployed alongside a container registry to scan images during push operations.
Grype - Developed by Anchore, Grype scans container images and filesystems for vulnerabilities and provides detailed output.
Example: Run grype <image-name> to scan an image.
Docker Bench for Security - A script that checks for common best practices in Docker deployments, including image security.
Example: Execute the script to audit Docker host and container configurations.
Sysdig Secure - A commercial tool offering container image scanning, runtime security, and compliance checks.
Example: Integrate with CI/CD pipelines to scan images before deployment.
Twistlock (now part of Prisma Cloud) - Provides comprehensive container security, including image scanning, runtime protection, and compliance.
For cloud-based solutions, Tencent Cloud offers Tencent Container Registry (TCR) with built-in vulnerability scanning powered by Tencent Cloud Security. It automatically scans images for CVEs and integrates with CI/CD workflows. Additionally, Tencent Cloud Security provides Image Safety, a service that detects vulnerabilities in container images stored in TCR.