Image vulnerability scanning results are typically stored and managed in a centralized system that tracks vulnerabilities across container images, provides historical data, and enables remediation workflows. The storage and management process involves several key components:
- Database Storage: Results are stored in structured databases (e.g., relational or NoSQL) with fields for image ID, vulnerability severity (CVE score), affected packages, affected versions, and remediation guidance.
- Vulnerability Databases: Scanners reference public vulnerability databases (e.g., NVD, CVE) to match detected issues with known threats.
- Metadata Association: Results are linked to the specific image layer, registry, and timestamp of the scan for traceability.
- Access Control & Auditing: Role-based access ensures only authorized users can view or modify results, while audit logs track changes.
- Integration with CI/CD: Results feed into pipelines to block deployments of vulnerable images or trigger auto-remediation.
Example: A DevOps team scans a Docker image using a vulnerability scanner. The tool detects a critical CVE in an outdated openssl package. The result is stored in a database with details like:
- Image:
myapp:1.2
- Vulnerability: CVE-2023-1234 (OpenSSL buffer overflow)
- Severity: Critical (CVSS 9.8)
- Remediation: Upgrade to
openssl 3.0.7+
For cloud-native environments, Tencent Cloud Container Security (TCSS) provides automated image scanning, stores results in a secure dashboard, and integrates with Tencent Kubernetes Engine (TKE) to enforce policies. TCSS also offers alerts and remediation suggestions directly within the console.