Home/Glossary/Container Image

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

DevSecOpsAlso called: "docker image", "oci image", "container template"

Container images are immutable templates used to create container instances. They consist of layered filesystems built from a base image.

Image components

  • Base image: Operating system layer (Alpine, Ubuntu, Distroless).
  • Dependencies: Libraries, frameworks, runtime environments.
  • Application code: Your compiled or interpreted application.
  • Configuration: Environment variables, config files.
  • Metadata: Labels, exposed ports, entrypoint commands.

Security considerations

  • Base image selection: Minimal images reduce attack surface.
  • Vulnerability scanning: Scan images for known CVEs.
  • Image signing: Verify image integrity and provenance.
  • Secret management: Never bake secrets into images.
  • Non-root users: Run processes as non-privileged users.

Best practices

  1. Use specific version tags, not latest.
  2. Choose minimal base images (Alpine, Distroless).
  3. Multi-stage builds to exclude build tools.
  4. Scan images in CI/CD before pushing to registry.
  5. Implement image lifecycle policies (expire old images).
  6. Sign images with Cosign or Notary.

Common vulnerabilities

  • Outdated base images with unpatched OS packages.
  • Vulnerable application dependencies.
  • Exposed secrets in image layers.
  • Running as root user.
  • Unnecessary packages increasing attack surface.

Related Tools

Related Articles

View all articles
30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

Master cloud security with 30 actionable tips covering AWS, Azure, and GCP.

Read article →
Cloud Migration & Validation Workflow | Complete Migration

Cloud Migration & Validation Workflow | Complete Migration

Execute flawless cloud migrations using proven 7R strategies, AWS Well-Architected Framework, and comprehensive validation at every stage—from discovery to production optimization.

Read article →
CI/CD Pipeline Security Workflow | DevSecOps Best Practices

CI/CD Pipeline Security Workflow | DevSecOps Best Practices

Master the complete CI/CD pipeline security workflow from secrets management to SLSA framework implementation. Implement SAST, DAST, SCA, artifact signing, and policy enforcement to secure your software supply chain.

Read article →
Kubernetes Security & Hardening Workflow | CIS Benchmark

Kubernetes Security & Hardening Workflow | CIS Benchmark

Master the complete Kubernetes security workflow from CIS benchmark assessment to runtime threat detection. Implement Pod Security Standards, RBAC, network policies, and NSA/CISA hardening guidance for production clusters.

Read article →

Explore More DevSecOps

View all terms

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

Read more →

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary