Container security spans the entire lifecycle. Each phase presents unique risks and requires specific controls.
Build Time
- Scan base images for vulnerabilities
- Use minimal base images
- Don't run as root
- Sign images
FROM mcr.microsoft.com/dotnet/aspnet:7.0-alpine
USER nonroot
Registry Security
- Private registries only
- Image signing and verification
- Vulnerability scanning on push
Runtime Protection
- Network policies
- Pod security standards
- Runtime threat detection
- Resource limits
Supply Chain
Know what's in your containers:
syft packages my-image:latest -o spdx-json
Verify everything, trust nothing.