How to perform version control for image vulnerability scanning?

Version control for image vulnerability scanning involves tracking changes to container images and their associated vulnerability scan results over time. This ensures you can identify when vulnerabilities were introduced, monitor remediation progress, and maintain a secure image lifecycle.

Key Steps:

1. Image Tagging & Versioning
   Use immutable, semantic version tags (e.g., v1.2.3) instead of mutable tags like latest. This helps correlate scans with specific image versions.

2. Scan & Store Results
   Perform vulnerability scans (e.g., for CVEs) using tools like Trivy, Clair, or Tencent Cloud’s Container Image Security Scanning (integrated with Tencent Container Registry (TCR)). Store scan results with timestamps and image digests.

3. Track Changes
   Maintain a log of:

   • Image build versions and their source code commits.
   • Scan results (vulnerabilities found/severity).
   • Remediation actions (e.g., patching, rebuilding).

4. Automate Workflows
   Integrate scans into CI/CD pipelines (e.g., Tencent Cloud DevOps Toolchain) to block deployments of images with critical vulnerabilities.

Example:

• Scenario: You build a Docker image app:v1.0 and scan it via TCR’s vulnerability scanning. The scan finds CVE-2023-1234 (High).
• Version Control Action:
  1. Tag the image as app:v1.0 (immutable).
  2. Store the scan report in TCR or a version-controlled system (e.g., Git).
  3. Update the code, rebuild as app:v1.1, and rescan. If fixed, deploy v1.1.

Tencent Cloud Services:

• Tencent Container Registry (TCR): Built-in vulnerability scanning with historical result tracking.
• DevOps Toolchain: Automate scans in CI/CD pipelines.
• TCR Enterprise Edition: Advanced audit logs and image lifecycle management.

By combining versioned images with scanned results, you ensure accountability and faster vulnerability resolution.