The document outlines best practices for image scanning in containerized environments and Kubernetes to enhance security in DevOps workflows. Key practices include integrating scanning into CI/CD pipelines, performing registry scans, leveraging Kubernetes admission controllers, and ensuring vulnerability detection in OS and third-party libraries. Additionally, it highlights the advantages of using a SaaS approach for image scanning, such as reduced operational overhead and faster implementation.

1. Image Scanning Best
Practices for Containers
and Kubernetes
KNOX ANDERSON
Director of Product Management - Sysdig
PAWAN SHANKAR
Director of Product Marketing - Sysdig

2. | Sysdig Inc. Proprietary Information2
Agenda
● Image scanning overview
● 10 image scanning best practices to adopt in production
● Demo / Sysdig Secure overview
● Q&A

3. Why Image Scanning?

4. | Sysdig Inc. Proprietary Information4
High Level DevOps Workflow
Developer
Source
code
repository
CI/CD
Staging/
QA
Production Monitoring
Application Delivery Lifecycle
Security
addressed
post
deployment
Causes disruption and delay

5. | Sysdig Inc. Proprietary Information5
Consequences of security coming in late
*Sysdig 2019 Container usage report

6. | Sysdig Inc. Proprietary Information6
Secure DevOps Workflow

7. Image Scanning
Best Practices

8. | Sysdig Inc. Proprietary Information8
1. Bake image scanning into CI/CD pipelines

9. | Sysdig Inc. Proprietary Information9
2: Adopt inline scanning
● With inline image
scanning, only the scan
metadata is sent to your
scanning tool, helping
you keep control of your
privacy.

10. | Sysdig Inc. Proprietary Information10
3: Perform image scanning at registries

11. | Sysdig Inc. Proprietary Information11
4: Leverage Kubernetes admission controllers

12. | Sysdig Inc. Proprietary Information12
5: Pin your image versions
● Sometimes, the image you scan is not
the same one you deploy in your
Kubernetes cluster (mutant tags)
● Such tags are constantly updated with
newer versions, making it hard to know if
the latest scan results are still valid.
● You can enforce this policy via the
combination of a Kubernetes admission
controller, your image scanner, and the
OPA Engine

13. | Sysdig Inc. Proprietary Information13
6: Scan for OS vulnerabilities
● New Docker images are usually built off
of an existing base image
● Even if you didn't introduce a new
vulnerability in your image, it can be
susceptible to those in the base image
● Actively track known vulnerable images
and ensure you have proper alerting in
place if exposed

14. | Sysdig Inc. Proprietary Information14
7. Scan for vulnerabilities in third-party
libraries

15. | Sysdig Inc. Proprietary Information15
8: Make use of lightweight base images
● Restrict what's in your
runtime container to
precisely what's
necessary
● It also improves the
signal to noise of
scanners

16. | Sysdig Inc. Proprietary Information16
9: Scan for Dockerfile misconfigurations

17. | Sysdig Inc. Proprietary Information17
10. Flag vulnerabilities quickly across
Kubernetes deployments
It’s an image scanning best practice to continuously scan your images to:
● Detect new vulnerabilities and adapt to your policy changes.
● Report those findings to the appropriate teams so they can fix the images as soon as
possible.

18. | Sysdig Inc. Proprietary Information18
BONUS: SaaS for Efficiency and Faster
Innovation
More time for dev -- less time on ops
● On-demand and scalable resources: You can start with scanning a few images at first and grow as your
container applications scale; without worrying about backend data management.
● Fast implementation: You can embed scanning into your CI/CD pipelines and get up and running in minutes,
unlike on-premises applications that require more time to install and setup.
● Easy upgrades and maintenance: The SaaS provider handles patches and rolls out new feature updates that
don’t require you to manually upgrade.
● No infrastructure or staff costs: You avoid paying for in-house hardware and software licenses with perpetual
ownership. You also don’t need on-site to maintain and support the application

19. Let’s see Sysdig in action!

20. | Sysdig Inc. Proprietary Information20
Sysdig Secure DevOps for Cloud Native
• Founded by Wireshark
co-creator
• Contributed Falco to CNCF
• Supported open-source
sysdig (10M+ downloads)
• Customer expansion mirrors
cloud-native adoption
• Trusted by the largest
enterprises
• Cloud-native security
and monitoring
• Provides visibility and
control for secure operations
Open by design Strong momentumEcosystem integration

21. | Sysdig Inc. Proprietary Information21
Sysdig Secure DevOps Platform
Converging monitoring and security to ship cloud apps faster
SERVICE
VISION
CONTAINER
VISION
Embed Security and Compliance
Maximize Performance and
Availability
Get Results Quickly
IMAGE
VISION

22. | Sysdig Inc. Proprietary Information22
Sysdig Secure: Manage Security and
Compliance Risk
Cloud Compliance
Continuously validate compliance
with industry regulations
Runtime Security
Prevent and detect threats without
impacting performance
Image Scanning
Scan for vulnerabilities and
misconfigurations
Incident Response
Conduct IR and forensics even
after the container is gone
Sysdig
Secure
Kube-API
detection
syscall
detection
Pod
security
Linux / container syscall captures /
activity audit
Runtime
scanning
CI/CD
registry
CVE
reports
CIS Benchmarks / Compliance
standards (PCI, NIST, etc)

23. | Sysdig Inc. Proprietary Information23
Secure DevOps Workflows
• Runtime security
• Container / Kubernetes
monitoring
• Apps / cloud services
monitoring
• Advanced troubleshooting
• Incident response
• Forensics
• Image scanning
RespondRunBuild
• Advanced threat prevention
• ML-based anomaly
detection
Essentials
Tier
Enterprise Tier
(includes
Essentials
workflows)
Extended compliance controls
Continuous Compliance (PCI, NIST, CIS, etc.)

24. | Sysdig Inc. Proprietary Information24
Ready for a Free Trial?
Available for Sysdig Platform,
Sysdig Secure or Sysdig Monitor
• Free for 30 days
• No credit card required
• Sign up today
sysdig.com/company/free-trial/

25. | Sysdig Inc. Proprietary Information25
Thursday, July 30
12pm BST / 1pm CEST
Secure DevOps Virtual Meetup
Europe
· DevOps security and compliance
with guest, Red Hat
Register today: sysdig.com/webinars
Thursday, August 6
10am PDT / 7pm CEST
Automate Container Security,
Monitoring and Compliance
· Dutch telco KPN shares their
experience in ramping Kubernetes
production workloads
Thursday, August 13
10am PDT / 7pm CEST
Introduction to Instrumenting
Apps with Prometheus
· Brian Brazil, author of Prometheus
Up and Running, walks through
the basics to get started

26. Q&A

27. Dig deeper