Skip to content

How do you secure container images?

Short answer

Start from a minimal, trusted base image (distroless or slim) to shrink attack surface, scan images for known CVEs in CI and in the registry, pin and verify image digests, run as a non-root user, and avoid baking in secrets. Sign images and enforce admission policies so only scanned, signed images run. Rebuild regularly so patched base layers flow through.

Containers feel disposable, so teams under-invest in image security — but a vulnerable or poisoned image runs everywhere it's deployed. The interview wants a layered approach, not one trick.

Build a small, clean image

  • Minimal base images. A distroless or slim base strips out shells, package managers, and unused libraries. Fewer packages means less attack surface and far less scanner noise — most CVEs come from OS packages you never use.
  • No secrets in layers. Anything COPY'd or set as a build arg persists in the layer history even if removed later; fetch secrets at runtime instead.
  • Run as non-root. Set a USER so a container escape doesn't start with root-equivalent rights, and combine with read-only filesystems and dropped capabilities.

Verify and gate

  • Scan in CI and in the registry. Tools like Trivy or Grype detect known CVEs in both OS packages and language dependencies. Fail the build on critical findings, and re-scan in the registry because new CVEs are disclosed after build time.
  • Pin by digest, not floating tags. :latest is non-deterministic; a digest pin guarantees you run exactly what you scanned.
  • Sign and enforce. Sign images (Sigstore/cosign) and use admission control (e.g. an OPA/Kyverno policy or signature verification) so the cluster only runs scanned, signed images.

Keep it fresh

A CVE patched in the base image only helps if you rebuild and redeploy. Automate periodic rebuilds so upstream fixes flow into running workloads.

What interviewers look for

Naming minimal base images and scanning first, then non-root, signing plus admission control, and the operational point that images must be rebuilt to inherit patches.

Likely follow-ups

  • Why does a smaller base image reduce both attack surface and scan noise?
  • What is image signing (e.g. Sigstore/cosign) and how does admission control use it?
  • How do you ensure a base-image CVE patch actually reaches running workloads?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.