Question: Are container images, registries, and runtimes hardened and continuously scanned for vulnerabilities?
-
Objective — Why This Matters
Containers share kernels and resources; a single weak image can compromise entire clusters. Image hardening, scanning, and signed deployments minimize risk. -
Maturity Levels (0 – 5)
No scanning or signed image enforcement.
Manual scans before release; inconsistent base images.
Registry with limited writers; scheduled scans.
Automated scans on push; signed images enforced.
Runtime enforcement and drift detection.
Continuous compliance with SBOM tracking and zero-trust admission controls.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 2 | Centralize images in a private registry and restrict writes. |
| 2 → 3 | Enable scanning and image signing. |
| 3 → 4 | Add runtime scanning and enforce admission policies. |
| 4 → 5 | Generate SBOMs and integrate into CI/CD for compliance. |
-
People / Process / Technology Enablers
People – DevOps, Platform Engineer.
Process – Image build review, approval workflows.
Technology – Trivy, Clair, Harbor, Kyverno. -
Evidence Required
Scan reports, signed image manifests, runtime alerts. -
Metrics / KPIs
• percentage of images scanned before deployment
• number of unsigned or unverified images detected
• average time from detection to patch update -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Scanning | Trivy / Clair | Automated image vulnerability scanning. |
| Registry | Harbor | Built-in scanning and signature enforcement. |
| Policy | Kyverno / OPA | Admission control for compliance. |
-
Common Pitfalls
Skipping scans for internal projects; ignoring critical CVEs in base images. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.9 / A.8.13. |
| NIST CSF 2.0 | PR.DS-1 / PR.IP-1. |
| CERT-In 2022 | Secure software supply chain. |
| NIRMATA Scoring | IS-Q07 ≥ Level 4 requires runtime drift monitoring. |