• Platform
    Mend-io-logo-mark
    Mend AI Native AppSec Platform Take a tour
    Docker image security scanning: what it can and can’t do - ai
    Mend AI Secure AI powered applications
    Mend sast icon
    Mend SAST Secure proprietary code 10x faster
    Mend container small icon
    Mend Container Container security done right
    Docker image security scanning: what it can and can’t do - sca
    Mend SCA Decrease open source risk
    Docker image security scanning: what it can and can’t do - renovate
    Mend Renovate Automate dependency updates
    Expand AppSec coverage
    Docker image security scanning: what it can and can’t do - dast icon 1 DAST Docker image security scanning: what it can and can’t do - apis icon 1 API security Docker image security scanning: what it can and can’t do - eol icon EOL support
    Platform Benefits
    Docker image security scanning: what it can and can’t do - repoi icon Repo integration Scalability-icon Scalability Docker image security scanning: what it can and can’t do - reachability icon Reachability
  • Solutions
    Ai models risk - nav bar icon
    AI app security Manage risks in AI models and agents
    Ai-red-teaming-icon-
    AI red teaming Test and secure conversational AI
    Docker image security scanning: what it can and can’t do - ai gen code security nav bar icon 36x36 1
    AI gen code security Real-time AI code security
    Sbom - nav bar icon
    SBOM Move from static to effective SBOMs
    Runtime-security-nav-bar-icon
    Dynamic testing Test for risks in running applications
    Code scanning - nav bar icon
    Code scanning Find and fix known vulnerabilities
    Open source license nav bar icon
    Open source security Prevent. Prioritize. Automate.
    Open source license - nav bar icon
    Open source compliance Risk management for OSS licenses
    Dependency updates - nav bar icon
    Dependency updates Reduced risk, better code
    Container security container security
    Container security Container security, simplified
  • Company
    About us - nav bar icon
    About us Who we are
    Careers nav bar icon
    Careers Join our team
    Partners - nav bar icon
    Partners Meet our partners
    Events - nav bar icon
    Events Upcoming events
    Newsroom - nav bar icon
    Newsroom The latest Mend.io news
    Contact-us nav bar icon
    Contact us Connect with us
  • Resources
    Resource center - nav bar icon
    Resource center View our latest resources
    Blog - nav bar icon
    Blog The latest AppSec news and insights
    Podcast-icon
    Podcast Insights from leading experts
    Customers - nav bar icon
    Customers View our customer case studies
    Integrations - nav bar icon
    Integrations Find your integration
    Langugages nav bar icon
    Languages Find your language
    Vulnerability database - nav bar icon
    Vulnerability database Mend.io's OSS vulnerability database
    Documentation - nav bar icon
    Documentation Product and feature documentation
    Featured
    Docker image security scanning: what it can and can’t do - red teaming guide featured image
    AI Red Teaming Practical Guide
    Docker image security scanning: what it can and can’t do - featured image
    A CISO’s Guide to Securing AI from the Start
    Docker image security scanning: what it can and can’t do - practical guide to sast white paper image
    A Practical Guide to Making the Most of your SAST Investment
Schedule a Demo

Table of contents

Related resources

Docker Image Security Scanning: What It Can and Can’t Do

Adam Murray April 18, 2021 6 min read
Application Security
Docker Image Security Scanning: What It Can And Can’t Do

Table of contents

Docker image security scanning should be a core part of your Docker security strategy. Although image scanning won’t protect you from all possible security vulnerabilities, it’s the primary means of defense against security flaws or insecure code within container images. It’s therefore a foundational part of overall Docker security.

In this article, we explain how Docker image security scanning works, why it’s important and what its limitations are.

What is a Docker image security scan?

Docker images

To understand Docker image security scanning, you first have to understand Docker images. In Docker, a container image is a file that defines which data and processes should exist inside a particular container when it starts. In other words, it’s a blueprint for the specific application or service that runs inside a given container.

To create a Docker image, you first create a Dockerfile, which is a plain-text file that defines what should be included in a container image. Typically, your Dockerfile will take a Docker base image, which in most cases is some version of a Linux distribution. The Dockerfile will then modify the base image in some way, such as by adding extra packages to it, or defining certain processes to start in addition to those that the base image runs by default.

Once you have a complete Dockerfile, you can turn it into an image using the Docker build command. You can then upload the image to a container registry, which is a repository of container images that can be downloaded when you want to run a container.

Docker image scans

Docker image security scanning is a process for finding security vulnerabilities within your Docker image files.

Typically, image scanning works by parsing through the packages or other dependencies that are defined in a container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies.

For example, your image might be built with a Dockerfile that includes a stanza such as the following:

RUN yum install -y  https://repo.mysql.com/mysql-community-minimal-release-el7.rpm

https://repo.mysql.com/mysql-community-release-el7.rpm

This line, which is part of one of the official MySQL Dockerfiles, specifies that containers that are run based on your image should download and install the package mysql-community-release-el7.rpm from the specified URL. (In this specific case, the container uses yum to install the package; if you were working with a Debian-derived base image, you’d likely use apt to install packages. It’s possible to install packages directly from a tarball, too, if you wanted.)

If there were a known vulnerability either in that specific version of MySQL, or in the RPM file used to install it, your Docker image security scanning tool should alert you to that vulnerability. (To be clear, there is no known vulnerability in this version of MySQL at the time of writing; we’re simply using this as an example.) With that knowledge, you’ll be able to update your Docker image to use a secure version of MySQL.

Docker image scanning tools

To perform a Docker image security scan, you need a specialized tool. Some container registries, including Docker Hub and Quay, offer built-in scanners that scan all of the container images inside your registry.

Other image scanners, including Anchore and Clair (the same scanner used by Quay), can be used to scan individual container images even if they are not part of a repository. Of course, one-off scanning is not efficient if you have a large-scale container deployment.

What Docker image security scanning won’t do

While Docker image security scanning is one critical way to find security flaws that could lead to a breach within a containerized application, it’s important to note that security scanning by no means provides full security coverage. There are several potential security problems that Docker security image scanning won’t help you find, including:

Security problems in your container environment or orchestrator configuration

Docker image scanning will do nothing to help identify problems such as containers that are running as root (which is almost never a good idea), or an insecure Kubernetes configuration. You need to use other tools (such as Kubernetes pod security policies) to help protect against these environment-level threats.

Insecure shared resources

Resources that are shared between containers, such as storage volumes or networking, may also have security vulnerabilities due to insecure configurations. Docker security image scanning won’t find these problems, because they exist outside container images.

Unknown security vulnerabilities

In most cases, Docker image scanning tools check public security vulnerabilities databases to determine whether a package has a security problem. Obviously, this won’t help you if you use a package that has a security flaw that has not been publicly disclosed. For this reason, you can’t assume that your packages are safe just because your Docker security image scanner deems them to be so.

Vulnerabilities not evident from a package name

As we’ve noted above, Docker image security scanning works by checking to see whether specific packages that are included in a Docker image have known vulnerabilities. This strategy works well for finding many types of vulnerabilities.

However, a big limitation is that image scanners will not be able to find all potential problems in Docker images which include packages that are not publicly monitored for security vulnerabilities. For example, if you take an open source software package, customize it, rebuild it into a new package, and include that new, custom package in your Docker image, your image scanner will not be able to detect all potential problems in it, because the version of the package that you are using is different from the version tracked in public vulnerability databases.

Similarly, if you include open source code in a container by importing it as a tarball instead of using a package from a public repository, your image scanner probably won’t be able to scan that code, because it won’t recognize it as being part of a known package.

For protection in these types of situations, source code analysis tools like Mend are useful because they can determine the origins of your code, even if it includes a mix of original components and third-party open source code that was imported in bits and pieces into your application.

Conclusion

Docker image security scanning should certainly not be the only part of your container security strategy, but it’s a crucial one. Partnered with other security tools that can help you to monitor your container environment and orchestrator, as well as detect security problems in open source code included in a containerized application in ways that image scanners can’t track, image scanning is a foundational part of container security.

Secure containerized applications

See Mend Container

About the author

Adam Murray

Writes about open source security and risk mitigation.

Related Posts

Recent resources

Docker Image Security Scanning: What It Can and Can’t Do - Blog Mend AI Security Dashboard

Introducing Mend.io’s AI Security Dashboard: A Clear View into AI Risk

Mend.io Team Sep 30, 2025
AI Models Risk

Discover Mend.io’s AI Security Dashboard.

Read more
Docker Image Security Scanning: What It Can and Can’t Do - Blog cover Mend Main Blues 1

NPM Ecosystem Under Siege: Self-Propagating Malware Compromises 187 Packages in a Huge Supply Chain Attack

Tom Abai Sep 16, 2025
Malicious Packages

A major NPM breach exposed 187 packages.

Read more
Docker Image Security Scanning: What It Can and Can’t Do - npm supply chain attack blog

NPM Supply Chain Attack: Sophisticated Multi-Chain Cryptocurrency Drainer Infiltrates Popular Packages

Tom Abai Sep 8, 2025
Malicious Packages

A sophisticated npm supply chain attack compromised popular packages

Read more

© 2025 Mend.io (White Source Ltd.) All rights reserved.