Container image scanning before push
Demonstrate that all container images are scanned for vulnerabilities and policy violations before being pushed to container registries, and that images exceeding defined risk thresholds are automatically blocked.
Description
What this control does
Container image scanning before push requires that all container images undergo automated vulnerability and compliance scanning prior to being pushed to a container registry. Scanning tools analyze image layers, dependencies, and configuration for known CVEs, malware, misconfigurations, and policy violations. Images failing scan thresholds are blocked from registry ingestion, preventing vulnerable artifacts from entering production supply chains. This control enforces a security gate in the CI/CD pipeline, ensuring only vetted images progress to deployment stages.
Control objective
What auditing this proves
Demonstrate that all container images are scanned for vulnerabilities and policy violations before being pushed to container registries, and that images exceeding defined risk thresholds are automatically blocked.
Associated risks
Risks this control addresses
- Deployment of container images containing exploitable vulnerabilities with known CVEs into production environments
- Introduction of malware, backdoors, or cryptominers embedded in image layers or dependencies
- Use of images with hardcoded secrets, credentials, or API keys exposed in environment variables or configuration files
- Propagation of images built from untrusted or compromised base images without provenance verification
- Deployment of containers running as root or with excessive capabilities that violate least-privilege principles
- Exposure to supply chain attacks through unvetted third-party libraries or packages in application dependencies
- Circumvention of security policies by developers pushing unscanned images directly to registries via alternate paths
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's container image scanning policy, including defined vulnerability severity thresholds, scan frequency requirements, and enforcement mechanisms
- Inventory all container registries in use (e.g., Docker Hub, ECR, ACR, Harbor, Artifactory) and identify which are subject to pre-push scanning requirements
- Review CI/CD pipeline configurations for a sample of representative applications to confirm scanner integration points before registry push stages
- Examine scanner tool configuration (e.g., Trivy, Snyk, Anchore, Prisma Cloud) to verify enabled scan types include vulnerability, malware, secret detection, and policy compliance checks
- Select five recent container image push attempts and retrieve scan reports to validate that scanning occurred, results were recorded, and severity findings were classified correctly
- Attempt to push a test container image containing known high-severity vulnerabilities to a protected registry to verify automated blocking occurs
- Review registry access logs and audit trails to confirm no images were pushed without corresponding scan completion records within the past 90 days
- Interview DevOps personnel to identify any documented exceptions, bypasses, or emergency override procedures and verify appropriate approval workflows exist
Where this control is tested