image-security-scanner

# Image Security Scanner

Scan and secure Docker images for production deployment.

## Quick Start

Scan an image:
```bash
docker scan myapp:latest
# or
trivy image myapp:latest
```

## Instructions

### Step 1: Choose Scanning Tool

**Docker Scan** (built-in):
```bash
docker scan myapp:latest
```

**Trivy** (comprehensive):
```bash
trivy image myapp:latest
```

**Grype** (fast):
```bash
grype myapp:latest
```

**Snyk** (detailed):
```bash
snyk container test myapp:latest
```

### Step 2: Run Security Scan

**Basic scan**:
```bash
docker scan myapp:latest
```

**Detailed scan with Trivy**:
```bash
trivy image --severity HIGH,CRITICAL myapp:latest
```

**Scan with JSON output**:
```bash
trivy image -f json -o results.json myapp:latest
```

### Step 3: Analyze Results

Review findings by severity:
- **CRITICAL**: Immediate action required
- **HIGH**: Fix soon
- **MEDIUM**: Plan to fix
- **LOW**: Monitor

**Common vulnerabilities**:
- Outdated base image
- Vulnerable packages
- Known CVEs
- Misconfigurations

### Step 4: Fix Vulnerabilities

**Update base image**:
```dockerfile
# Before
FROM node:18-alpine3.17

# After
FROM node:18-alpine3.18
```

**Update packages**:
```dockerfile
RUN apk upgrade --no-cache
# or
RUN apt-get update && apt-get upgrade -y
```

**Remove vulnerable packages**:
```dockerfile
RUN apk del vulnerable-package
```

**Use distroless for minimal attack surface**:
```dockerfile
FROM gcr.io/distroless/nodejs18-debian11
```

### Step 5: Implement Security Best Practices

**Run as non-root**:
```dockerfile
USER nobody
# or
RUN adduser -D appuser
USER appuser
```

**Remove unnecessary tools**:
```dockerfile
RUN apk del apk-tools
```

**Use read-only filesystem**:
```dockerfile
# In docker-compose or k8s
read_only: true
```

**Add security labels**:
```dockerfile
LABEL security.scan-date="2024-01-15"
LABEL security.scanner="trivy"
```

### Step 6: Verify Fixes

Re-scan after fixes:
```bash
docker build -t myapp:latest .
trivy image myapp:latest
```

Com