Skip to main content
Home/Glossary/Container Image

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

DevSecOpsAlso called: "docker image", "oci image", "container template"

Container images are immutable templates used to create container instances. They consist of layered filesystems built from a base image.

Image components

  • Base image: Operating system layer (Alpine, Ubuntu, Distroless).
  • Dependencies: Libraries, frameworks, runtime environments.
  • Application code: Your compiled or interpreted application.
  • Configuration: Environment variables, config files.
  • Metadata: Labels, exposed ports, entrypoint commands.

Security considerations

  • Base image selection: Minimal images reduce attack surface.
  • Vulnerability scanning: Scan images for known CVEs.
  • Image signing: Verify image integrity and provenance.
  • Secret management: Never bake secrets into images.
  • Non-root users: Run processes as non-privileged users.

Best practices

  1. Use specific version tags, not latest.
  2. Choose minimal base images (Alpine, Distroless).
  3. Multi-stage builds to exclude build tools.
  4. Scan images in CI/CD before pushing to registry.
  5. Implement image lifecycle policies (expire old images).
  6. Sign images with Cosign or Notary.

Common vulnerabilities

  • Outdated base images with unpatched OS packages.
  • Vulnerable application dependencies.
  • Exposed secrets in image layers.
  • Running as root user.
  • Unnecessary packages increasing attack surface.

Related Tools

Related Articles

View all articles
📄

Codex CLI: ChatGPT Login vs API Key — Which Auth Should You Use?

Codex CLI gives you two ways to authenticate — ChatGPT OAuth login and an OpenAI API key. Here's how they differ, which to pick for humans vs. CI, and how to fix the common 'API key ignored' loop.

Read article →
📄

Containers & Compute Compared: Cloudflare Workers/Containers vs AWS ECS/EKS vs Azure AKS vs Google GKE

A deep technical comparison of container and compute platforms — Cloudflare's edge compute model vs AWS ECS/EKS/Fargate, Azure AKS/Container Apps, and Google GKE/Cloud Run. Architecture, orchestration, pricing, and when containers vs edge isolates vs serverless containers win.

Read article →
📄

Serverless Showdown: Cloudflare Workers vs Lambda vs Cloud Functions vs Azure Functions

A deep technical comparison of serverless compute platforms — Cloudflare Workers, AWS Lambda, Google Cloud Functions, and Azure Functions — covering runtime architecture, cold starts, programming models, pricing, and the edge vs region debate.

Read article →
DevSecOps Pipeline: How to Build Security into CI/CD

DevSecOps Pipeline: How to Build Security into CI/CD

Learn how to integrate security into your CI/CD pipeline. This guide covers SAST, DAST, SCA, container scanning, and security automation for DevSecOps teams.

Read article →

Explore More DevSecOps

View all terms

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

Read more →

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary