#vulnerability-scanning

Scan for security vulnerabilities. Tools: 1. SAST (Snyk, SonarQube) for code analysis. 2. DAST for runtime scanning. 3. Dependency scanning (npm audit, Dependabot). 4. Secret detection (GitGuardian). 5. Container scanning. 6. Infrastructure as Code scanning. Integrate in CI/CD. Fix critical issues immediately. Use OWASP Top 10 as guide. Regular security reviews.

Implement secure container image management with vulnerability scanning, signing, and policy enforcement. Registry security: 1. Private registries: Harbor, AWS ECR, Google Container Registry with RBAC access control. 2. Image signing: Docker Content Trust, Notary for image authenticity verification. 3. Vulnerability scanning: Trivy, Clair, Twistlock integrated into push/pull workflows. 4. Access control: IAM integration, token-based authentication, service account permissions. Image lifecycle management: 1. Tagging strategy: semantic versioning, immutable tags, environment-specific tags. 2. Retention policies: automatic cleanup of old images, keep last 10 versions per branch. 3. Multi-architecture support: AMD64, ARM64 builds, manifest lists for platform-specific pulls. Security policies: 1. Base image governance: approved base images only, regular security updates, minimal surface area. 2. Scanning thresholds: block deployment for critical vulnerabilities, allow with medium/low. 3. Runtime policies: admission controllers preventing non-compliant containers. Image optimization: 1. Layer caching: optimize Dockerfile instruction order, shared base layers. 2. Size reduction: multi-stage builds, distroless images, unnecessary package removal. 3. Build automation: automated security patching, dependency updates, scheduled rebuilds. Registry operations: 1. High availability: multi-region replication, load balancing, disaster recovery. 2. Performance: CDN integration, regional caching, bandwidth optimization. Compliance: audit logs for image access, retention policies for regulatory requirements, SBOM (Software Bill of Materials) generation.