Interview › Security & DevSecOps
What is container image scanning, and what tools do it (Trivy, Grype, Wiz)? [Intermediate]
Answer
Container image scanning analyzes image layers for vulnerable OS packages, application dependencies, secrets, malware indicators, and misconfigurations. Tools include Trivy, Grype, Snyk, Anchore, Clair, registry scanners, and CNAPP tools such as Wiz.
Technical explanation
Scanning should happen at build time, registry time, and periodically after deployment because new CVEs appear for existing images.
Findings should map to image digest, layer, package, fixed version, and owner.
Runtime context matters: a vulnerability in a deployed internet-facing image is higher priority than the same issue in an unused image.
Hands-on example
Hands-on:
docker build -t registry.example.com/checkout:${GIT_SHA} .
trivy image --severity HIGH,CRITICAL --exit-code 1 registry.example.com/checkout:${GIT_SHA}
grype registry.example.com/checkout:${GIT_SHA}
If clean, sign and push the immutable digest.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]