* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/)
* What Is Container Scannin...

# What Is Container Scanning? A Top Requirement for Container Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fwhat-is-container-scanning-a-top-requirement-for-container-security%2F)  
[](https://twitter.com/share?text=What+Is+Container+Scanning%3F+A+Top+Requirement+for+Container+Security&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fwhat-is-container-scanning-a-top-requirement-for-container-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fwhat-is-container-scanning-a-top-requirement-for-container-security%2F&title=What+Is+Container+Scanning%3F+A+Top+Requirement+for+Container+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/what-is-container-scanning-a-top-requirement-for-container-security/&ts=markdown)  
\[\](mailto:?subject=What Is Container Scanning? A Top Requirement for Container Security)  
Link copied  
By [Mohit Bhasin](https://www.paloaltonetworks.com/blog/author/mohit-bhasin/?ts=markdown "Posts by Mohit Bhasin")  
Jun 04, 2021  
4 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[container scanning](https://www.paloaltonetworks.com/blog/tag/container-scanning/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)  
[Containers](https://www.paloaltonetworks.com/blog/tag/containers/?ts=markdown)

The use of containers for application development and deployment is one of the most exciting innovations in cloud computing today. But for any organization looking to leverage containers, they need to know the best way to secure them.

Container scanning, or container image scanning, is the process of scanning containers and their components to identify potential security threats. It is a fundamental process of container security, and the number one tool for many teams looking to secure their containerized DevOps workflows.

The adoption of containers has revolutionized the application development process by enabling DevOps teams to continuously deliver, deploy, and update applications. But with this unprecedented speed and flexibility comes a downside: container environments are extremely vulnerable at every stage of the development process. For this reason, the [latest cloud security solutions](https://blog.paloaltonetworks.com/2021/04/april-2021-release-prisma-cloud/) are putting container security, and specifically container scanning, front and center on their priority list.

Continue reading to learn about the basics of container scanning and how to implement it with your team (including a free step-by-step guide!).

## What Is a Container and a Container Image?

Before diving into the details of container scanning, let's review some standardized definitions:

* A [container](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown) is a standalone file or package of software files that include everything you need to run an application. Everything from the application's code and dependencies, to its library, runtime, and system tools are all located within the container.
* A [container image](https://www.paloaltonetworks.com/blog/prisma-cloud/cloud-container-image-trust-groups/?ts=markdown) is a static file within a container that holds the code to run processes for your application. It can include system libraries, tools, and other settings needed to run on a containerized platform. These images are often built on a pre-existing parent image or base image in an OS to help developers avoid building lots of files from scratch.

It's important to know that not all container images are created equal. For example, many images are pulled from public repositories --- [essentially untrusted sources](https://www.paloaltonetworks.com/blog/prisma-cloud/cloud-container-image-trust-groups/?ts=markdown) --- and thus can present the risk of compromise. These images potentially contain vulnerabilities, may not be properly configured to meet compliance standards, or may even contain malicious components. Watch the video below to learn more about containers:

## Three Areas to Implement Container Scanning

Because container images can come from such a wide range of sources, maintaining container image trust is critical. Container scanning is a way to understand the components in an image or container and understand their risk posture. Listed below are several areas where your team should leverage container scanning in order to achieve security across the full lifecycle of your application.

### 1. Scanning Your Container Registry

The container registry is where all of your application images are stored. It's the centralized hub for your container environment and potentially holds hundreds or thousands of images built from a variety of sources, including third-party locations. A single vulnerability or insecure configuration could lead to a threat not only to your registry, but to your entire application.

This is why continuously scanning your registries for any change in vulnerability status is crucial for maintaining container security. This function should be automated and should include scanning every image to identify and prevent any incoming threats.

### 2. Scanning Your Container at Runtime

Just because your container is up and running does not mean that your container scanning responsibilities are over. For optimal container security, it's important to automate continuous scanning that identifies any new CVE as soon as it's recognized. This will help detect new vulnerabilities, report them to your security team, and allow you to take immediate action. The best runtime container security tools empower teams by automatically prioritizing risk across environments.

Another best practice of [enhanced runtime protection](https://www.paloaltonetworks.com/resources/whitepapers/add-runtime-defense-cloud-security.html?ts=markdown) is to establish behavioral baselines for your container environment in a normal, secure state. With baselines in place, your system can easily detect, prevent, and mitigate anomalies or attacks.

### 3. Block Vulnerabilities Before They Enter Your Container

So far, we've discussed where and when to scan your container. But to secure the full lifecycle of your application, it's necessary to zoom out beyond the container and scan components as you build your container images.

To further the [move to DevSecOps](https://blog.paloaltonetworks.com/2019/03/containers-fueling-move-devsecops/), security teams should integrate image scanning into their CI/CD pipeline to detect and block vulnerabilities before their code ever enters into the container.

## Start Leveraging Container Security to Protect Your Applications

Get a deeper look at the fundamentals of container security and break down what every organization needs to know to ensure their containers---and their container environments---are secure from breaches, malware and other bad actors. Download your free copy of [The 2024 Definitive Guide to Container Security](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide?ts=markdown). This book-length guide lays out in-depth insights and practical advice to empower developers, DevOps, cloud teams and security professionals to effectively protect their cloud-native applications.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### What You Need to Know About Azurescape](https://www.paloaltonetworks.com/blog/2021/09/azurescape/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Prisma Cloud Secures Containerized Apps on AWS-Optimized Bottlerocket](https://www.paloaltonetworks.com/blog/cloud-security/secure-containerized-app-aws-bottlerocket/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud Further Extends Host and Container Security](https://www.paloaltonetworks.com/blog/2021/01/cloud-host-container-web-app-api-release/)

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://www.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Join Prisma Cloud at KubeCon North America in Chicago](https://www.paloaltonetworks.com/blog/cloud-security/kubecon-na-2023/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Prisma Cloud Supports Azure Linux Container Host for AKS](https://www.paloaltonetworks.com/blog/cloud-security/azure-linux-container-host-aks/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language