Securing Docker Images

Udi Doron

May 14, 2026 | 6 Minutes

Most teams treat securing Docker images as a two-control problem: scan the image, harden the base layer, ship it. Both controls matter. Neither - alone or together - is enough. Attackers have moved past the static surface that scanners and hardening address, and the gap between "we scan and harden" and "we have actually secured our images" is wider than most security programs admit.

This article walks through what scanning misses, where hardening fails, how runtime threats slip past both, and what a defense-in-depth model for Docker image security actually requires.

Key takeaways

Scanning catches known CVEs in static layers, but misses misconfigurations, supply chain compromise, and runtime drift.
Hardening reduces the attack surface but offers no protection if the upstream image source or build pipeline is compromised.
Runtime threats, including ephemeral malware and lateral movement, are invisible to both controls.
Image signing and SLSA provenance close the trust gap between build and deploy.
Real Docker image security requires layered controls across source, build, registry, deploy, and runtime - not stronger versions of the same two controls.

Why scanning and hardening create a false sense of security

When a team commits to docker image scanning and adopts hardened docker images from a reputable source, leadership often considers the problem handled. Both are real, valuable controls. But each addresses a narrow slice of the threat surface, and together they leave significant exposure untouched.

The mental model worth adopting: scanning tells you what known-bad ingredients are in the cake. Hardening makes the cake harder to eat. Neither tells you whether someone tampered with the recipe, whether the oven was compromised, or whether the cake gets poisoned after it leaves the kitchen.

What image scanners cannot see

Container vulnerability scanning is essential, but its blind spots are well documented and worth being explicit about:

Zero-day vulnerabilities. Scanners match against known CVE databases. If a flaw hasn't been disclosed, it doesn't show up.
Logic flaws and misconfigurations in application code. A scanner that flags an outdated OpenSSL won't notice that the application accepts unsigned tokens or trusts an inherited environment variable.
Secrets baked into layers. Many scanners catch obvious patterns; many miss credentials encoded in less-common formats, embedded in compiled binaries, or hidden in lower image layers.
Malicious packages from poisoned upstream sources. A scanner that trusts the package's signature trusts whoever signed it. If the upstream registry is compromised, the scanner is the compromise's downstream amplifier.
Behavioral anomalies. Static analysis cannot tell you that a binary phones home to an unexpected domain or escalates privileges at runtime.

For a deeper look at scanner blind spots, our piece on Docker base images and their hidden risks covers what static analysis routinely misses.

Where image hardening falls short without supply chain controls

Hardening is the practice of stripping an image down to the minimum runtime surface - fewer packages, smaller binaries, no shells, restricted users. Done well, it dramatically reduces what an attacker can do once inside.

But hardening assumes the layer being hardened is trustworthy in the first place. If the upstream base image is compromised, every downstream "hardened" image inherits that compromise:

A malicious commit to a popular base image distribution can land in millions of downstream builds before detection.
Build pipelines without provenance controls can substitute a clean base for a tampered one mid-build.
Hardening tools themselves pull from registries; if those registries are spoofed or hijacked, the "hardening" step becomes the attack vector.

In other words, hardening reduces what an attacker can do after getting in. It does nothing to prevent them from being baked into the image to begin with. For complementary techniques, our guide on container hardening techniques walks through the practical patterns that actually work.

How runtime threats bypass both scanning and hardening

Both scanning and hardening operate before deployment. Once a container is running, they are silent. That gap is where modern attackers operate:

Memory-resident malware. Code injected into a running process never touches the image filesystem and so is invisible to image scanners.
Lateral movement via legitimate tooling. A hardened image still includes whatever the application needs to run. Attackers reuse those legitimate binaries to move within the cluster.
Drift from baseline. A container that starts in a hardened state can be modified at runtime - config files rewritten, processes spawned, network rules altered - without the image itself ever changing.
Exploitation of known but unpatched runtime CVEs. A scanner flagged the issue. A ticket was filed. The container is still running. Time-to-patch matters more than time-to-detect.

Without runtime visibility, none of this surfaces until it triggers an external alert - typically far too late.

How image signing and provenance close the gap

The category that most teams under-invest in is supply chain integrity. Signing and provenance are the controls that bridge the trust gap between build and deploy:

Cryptographic signing (Cosign, Sigstore, Notation) attaches a verifiable signature to an image. Deployment gates can refuse to run images that lack a valid signature from an approved signer.
SLSA provenance records how the image was built - which source commit, which builder, which dependencies, in what environment. This makes tampering detectable rather than invisible.
Verification at deploy time ensures that even if an attacker pushes a malicious image into a registry, the cluster refuses to run it without a matching signature.
Attestations for SBOMs and scan results let downstream consumers verify that a stated security posture is genuine, not just claimed.

These controls don't replace scanning or hardening. They make scanning and hardening trustworthy - because without provenance, you have no way to verify that the image you scanned is the image you deployed.

A defense-in-depth model for Docker image security

Real image security spans five layers, each addressing what the layers above and below cannot:

Source layer. Verified contributors, signed commits, dependency pinning, and review gates on critical files like Dockerfiles. Scanning of source-level dependencies catches issues before they reach the build.
Build layer. Reproducible builds, hardened build environments, SBOM generation, and provenance attestations. Build-time scanning catches what made it through the source layer.
Registry layer. Signed images only, vulnerability scanning on push and on pull, automated re-scanning as new CVEs are disclosed, and aggressive removal of unused or stale images. For a practical pattern, see our Echo + Trivy integration guide.
Deploy layer. Admission controllers that verify signatures, enforce policy, and block unsigned or out-of-policy images. Hardened runtime configurations (non-root users, read-only filesystems, capability drops).
Runtime layer. Behavioral monitoring, drift detection, network egress controls, and the ability to correlate runtime behavior back to image identity for fast root-cause analysis.

For more on the foundational practices, our overview of best practices to manage Docker risk and vulnerabilities covers the policy patterns that hold this stack together.

he hard part isn't knowing vulnerabilities exist in your images - it's the endless cycle of scanning, triaging, and patching that drains hundreds of developer hours per release. That's where most teams stall, and that's where Echo comes in.

Echo delivers vulnerability-free container images, libraries, and VMs - automatically patched, hardened, and FIPS-validated. No fixes needed, because there's nothing to fix.

Book a demo and see what dropping your CVE count to zero looks like for your environment.

FAQs

How often should Docker images be rebuilt after a new CVE is disclosed?

Critical and high-severity CVEs in production-running images warrant a rebuild within 24 to 72 hours, depending on exploitability and reachability. Mature teams automate this: a CVE disclosure that affects a base image triggers an automated rebuild and rollout pipeline. Lower-severity findings can batch into weekly or biweekly rebuild windows, provided exception tracking is rigorous.

At what point in the pipeline should image signing verification be enforced?

Signing should be generated at build time and verified at every subsequent stage - registry push, registry pull, and especially at deploy via an admission controller. Enforcement only at deploy time is the most common pattern but the weakest, because malicious images can sit in the registry undetected. Verifying at multiple checkpoints catches tampering earlier.

How does introducing image signing change developer workflows in practice?

For most developers, signing is invisible - the build pipeline handles signature generation automatically. Friction shows up when developers try to deploy locally-built images that bypass the official pipeline. The right answer is making the signed pipeline so frictionless that developers don't want to bypass it, not adding manual signing steps to local workflows.

Is maintaining zero CVEs in a production Docker image a realistic goal?

It's realistic for narrowly scoped, hardened minimal images and unrealistic for most application images that depend on a long chain of OS and language packages. The more useful goal is zero exploitable CVEs in production - defined as no critical or high-severity vulnerability that is reachable in running code and exceeds the team's documented SLA window.

What organizational ownership model works best for managing Docker image security across teams?

A federated model works best at scale: a central platform team owns base images, signing infrastructure, and admission policies; security owns standards, exceptions, and audit; application teams own their own image content and SLA adherence. Centralized models bottleneck. Fully decentralized models produce inconsistent posture. The federation makes ownership explicit at each layer.