CVE Scanning

Integrating vulnerability scanning into your CI/CD pipeline is critical for maintaining a secure posture.

Recommended Tools

1. Trivy (by Aqua Security)

The industry standard for container scanning.

trivy image securescale/python:fastapi-3.11

2. Grype (by Anchore)

Fast and lightweight, great for CI pipelines.

grype securescale/nodejs:20-distroless

GitHub Actions Integration

Add this snippet to your .github/workflows/scan.yml:

steps:
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'your-image-tag'
      format: 'table'
      exit-code: '1'
      ignore-unfixed: true
      vuln-type: 'os,library'
      severity: 'CRITICAL,HIGH'

SBOM (Software Bill of Materials)

SecureScale images include high-quality SBOMs. You can extract them using syft:

syft securescale/python:fastapi-3.11 -o cyclonedx-json > sbom.json

Hardening Best Practices Advanced