Image and IaC scanning — Trivy, Checkov, Terrascan, and shift-left infrastructure
Vulnerable container images and misconfigured IaC are two of the most common vectors for cloud incidents. Automated scanning in the pipeline catches these problems before deployment.
Container image scanning with Trivy
Trivy scans the entire image: base OS, packages, language dependencies, and configurations.
# local scan of an image
trivy image nginx:1.25
# summarized output
nginx:1.25 (debian 12.0)
==========================
Total: 42 (CRITICAL: 3, HIGH: 15, MEDIUM: 20, LOW: 4)
┌──────────────────┬────────────────┬──────────┬───────────────────┐
│ Library │ Vulnerability │ Severity │ Fixed Version │
├──────────────────┼────────────────┼──────────┼───────────────────┤
│ openssl │ CVE-2023-0464 │ CRITICAL │ 3.0.9-1 │
│ libexpat1 │ CVE-2023-52425 │ HIGH │ 2.5.0-1 │
└──────────────────┴────────────────┴──────────┴───────────────────┘# GitHub Actions — Trivy in the pipeline
- name: Scan container image
uses: aquasecurity/trivy-action@master
with:
image-ref: "myapp:${{ github.sha }}"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1"Best practices for secure images
1. Use minimal base image: alpine, distroless, or scratch
2. Never run as root (USER nonroot)
3. Copy only what is needed — strict .dockerignore
4. Multi-stage build: build artifacts do not enter the final image
5. Fixed tag: FROM node:20.12.0-alpine3.19 — never :latest
6. Periodic rebuild to capture base OS updatesIaC scanning with Checkov
Checkov analyzes Terraform, CloudFormation, Kubernetes YAML, Dockerfile, and other IaC formats.
# scan a Terraform directory
checkov -d ./infra --framework terraform
# output
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.app_data
File: /infra/storage.tf, Line 5
Check: CKV_AWS_57: "Ensure S3 bucket has MFA delete enabled"
FAILED for resource: aws_s3_bucket.app_data
File: /infra/storage.tf, Line 5# GitHub Actions — Checkov in the pipeline
- name: Checkov IaC scan
uses: bridgecrewio/checkov-action@master
with:
directory: infra/
framework: terraform
soft_fail: false # fails pipeline on CRITICAL violations
output_format: sarif
output_file_path: checkov.sarifIaC scanning with Terrascan
An alternative to Checkov, focused on OPA/Rego policies:
terrascan scan -i terraform -d ./infra \
--policy-type aws \
--severity HIGH \
--output jsonShift-left infrastructure: validation in the IDE
Plugins for VS Code and JetBrains run Checkov/Terrascan while the developer edits .tf or .yaml files:
Feedback loop:
Developer writes aws_security_group with ingress 0.0.0.0/0
→ IDE highlights in red: CKV_AWS_25 (SSH open to the world)
→ Fixed before committing
→ Pipeline confirms no violation remainsCommon check coverage
Checkov / Terrascan verify, among others:
AWS:
- S3 without block public access
- RDS without encryption
- Security group with 0.0.0.0/0 on sensitive ports
- IAM with wildcard (*) permissions
- CloudTrail disabled
Kubernetes:
- Pod running as root
- Container without CPU/memory limits
- Image with :latest tag
- readOnlyRootFilesystem: false
- Capabilities not droppedSummary
Trivy finds vulnerabilities in images. Checkov and Terrascan detect misconfigurations in IaC. Both integrated into the pipeline — and the IDE — ensure that insecure infrastructure is always identified and fixed before reaching the environment.