Safeguard
AI Security

How to Choose a Container Scanning Tool That Actually Helps

A practitioner's guide to picking a container scanning tool: what it should detect, where it fits in the pipeline, and how to avoid drowning in false positives.

Safeguard Research Team
Research
6 min read

A container scanning tool inspects the layers of a container image to identify known-vulnerable OS packages, application dependencies, misconfigurations, and leaked secrets before the image ships to production. Choosing the right one is less about which tool has the longest feature list and more about whether it fits your pipeline, produces findings your engineers will act on, and keeps up with the images you actually build.

Most teams discover their first container scanner the hard way: a registry vendor turns one on, it reports 400 "critical" findings on a base image nobody has touched in months, and everyone learns to ignore the dashboard. Picking a tool that avoids that fate is the real goal.

What a container scanning tool should detect

A container image is a stack of filesystem layers, and vulnerabilities can hide in any of them. A capable scanner covers four categories.

OS package vulnerabilities. The base image (debian:bookworm, alpine:3.19, ubuntu:24.04) ships a package database. The scanner matches installed package versions against advisory feeds (Debian Security Tracker, Alpine secdb, Red Hat OVAL, and the like). This is the bread and butter and where quality of the advisory mapping matters most.

Application dependencies. The interesting risk usually lives above the OS: the npm, PyPI, Maven, Go, or RubyGems packages your app pulls in. A scanner that only reads the OS package DB misses your actual code's supply chain. This overlaps heavily with software composition analysis, and the best container scanners share a vulnerability backend with their SCA product.

Misconfigurations. Running as root, a missing USER directive, world-writable files, an exposed Dockerfile ADD from a remote URL. These are not CVEs but they are real weaknesses.

Secrets. API keys, private keys, and tokens accidentally baked into a layer. Because layers are immutable and additive, a secret deleted in a later layer is still recoverable from the earlier one, so scanners inspect the full history, not just the final filesystem.

Where it fits in the pipeline

A container scanning tool earns its keep by running in more than one place:

Build time     scan the image in CI right after `docker build`
Registry       scan on push, and rescan on new advisories
Admission      block non-compliant images at the k8s gate
Runtime        alert on images already running when new CVEs land

The single highest-value integration is build-time scanning in CI, because it gives the developer who introduced a dependency the feedback while the change is still in their head. A representative gate:

# CI step: fail the build on new fixable criticals
- name: scan image
  run: |
    scanner image myapp:${{ github.sha }} \
      --severity CRITICAL,HIGH \
      --ignore-unfixed \
      --exit-code 1

The --ignore-unfixed flag is quietly one of the most important settings. A vulnerability with no available fix is not something the developer can act on today; failing the build on it just trains people to add blanket ignores. Gate on fixable criticals and highs, and track the unfixable ones separately.

The false-positive problem

The reason container dashboards get abandoned is signal-to-noise. Three things drive noise, and your tool choice should be judged on how it handles each.

Distro backporting is the big one. Red Hat and Debian routinely backport a security fix into a package without bumping its upstream version number. A naive scanner sees the old version string, matches it to the CVE, and reports a vulnerability that was actually patched. Tools that consume distro-specific security data (OVAL, secdb) correctly suppress these; tools that do naive version comparison drown you in false alarms. Test this explicitly during evaluation.

Reachability is the second. A CVE in a library that ships in the image but is never loaded at runtime is lower risk than one on your request path. Some tools now correlate findings with whether the vulnerable code is actually reachable, which meaningfully shrinks the triage queue.

Base-image inheritance is the third. If 300 findings come from the base image, the fix is to change or update the base image once, not to triage 300 rows. A good tool attributes findings to the layer that introduced them so you can see that clearly.

Evaluation checklist

When you trial a container scanning tool, run it against your real images and score it on:

  1. Ecosystem coverage for the languages you ship, not just OS packages.
  2. Distro-aware matching so backported fixes do not show as vulnerabilities.
  3. Layer attribution so you know whether a finding is yours or the base image's.
  4. Pipeline fit: does it run in CI, on registry push, and at the admission gate without three separate tools?
  5. Actionable output: fixed-version recommendations, not just CVE IDs.
  6. SBOM generation so the same scan feeds your inventory and compliance needs.

A tool such as Safeguard combines image scanning with dependency-level SCA so the OS layer and the application layer share one vulnerability view, which avoids the common trap of stitching together two tools that disagree. Whatever you choose, weigh it against your own images and your team's tolerance for triage. If you want to sharpen your evaluation, our academy walks through building a container security gate step by step.

FAQ

What is the difference between container scanning and SCA?

SCA focuses on the application dependencies you declare (npm, PyPI, Maven). Container scanning covers those plus the OS packages in the image, misconfigurations, and secrets. They overlap on application dependencies, and the strongest tools use one vulnerability backend for both.

Should a failing scan block my deployment?

Block on fixable critical and high findings that the developer can actually remediate, and use --ignore-unfixed so unactionable findings do not train people to ignore the gate. Track unfixable and lower-severity findings without hard-blocking.

Why does my scanner report vulnerabilities that are already patched?

Almost always distro backporting: Red Hat and Debian patch a package without changing its version number. Choose a scanner that reads distro security data (OVAL, secdb) so it recognizes backported fixes instead of matching on the version string alone.

How often should I rescan images already in production?

Continuously, or at least daily. New advisories are published constantly, so an image that was clean at build time can become vulnerable without changing. Rescanning on new advisory data is what catches those.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.