Find and Fix Vulnerabilities in Container Images

Container image scanning means analyzing your built container images (Docker images, etc.) for security issues before you deploy them. Even if you scan your source code and dependencies, your container images may include other components - like OS packages, web servers, or OpenSSL - that could have vulnerabilities. In short, code scanning covers your application code, but container scanning covers the environment that your code runs in. It's important because a secure app can still be compromised if the base image or system libraries it runs on have known flaws.

Yes, Aikidos' container scanner looks at everything inside the image layers. It will inventory the OS packages, libraries, and other components in your container and check them against vulnerability databases for known CVEs. It doesn't stop at just OS packages either - it also flags outdated software, potential malware, and even license risks in the image. Essentially, if there's a vulnerable package in your image (whether it's an OS-level library or an app dependency baked into the image), Aikido will detect it.

Aikido can assist with automating fixes for container images. The platform includes an AI AutoFix feature that can suggest and even apply upgrades to your container setup - for instance, it might recommend a patched base image or update a package version and can generate a fix PR for you. In practice, you get a "fix this'' button for many image vulnerabilities, which will adjust your Dockerfile or image configuration to remediate the issues, saving you from doing those upgrades manually.

Integration is straightforward - you can embed Aikido's container scan as a step in your CI/CD pipeline (there are plugins and integration tokens for services like GitHub Actions, GitLab CI, Jenkins, etc.). For example, after building your Docker image, you'd invoke Aikido to scan that image, and it will report any issues before you push to production. Aikido was built to plug into pipelines with minimal fuss (so it starts scanning your images from Day 1 without a lot of custom setup). In a Kubernetes workflow, the typical approach is to scan images during CI (before they ever reach the cluster), or you can connect Aikido to your container registry so it automatically scans new images that you tag for deployment.

Besides scanning your images when building them (in the CI/CD pipeline), Aikido can continuously scan images stored on popular container registries. This ensures that newly discovered vulnerabilities are surfaced even after the images are built.

It detects a wide range of issues in container images. This includes known vulnerability CVEs in system packages and libraries, outdated software versions (e.g. an OS package or runtime that's past its end-of-life), malicious or compromised components (malware), and even open-source license problems present in the image. In other words, everything from a critical Linux kernel flaw to a library with a disallowed license could be flagged. The goal is to surface all the relevant risks hidden inside your image, not just the obvious "vulns."

Aikido's container scanner focuses on vulnerabilities, outdated software, and malware. It doesn't detect embedded secrets or misconfigurations directly. However, Aikido includes separate scanners for secrets (e.g., AWS keys left in files) and misconfigurations (via IaC scanning), which complement the container scanning. So while the container scanner flags CVEs and system-level risks, secrets and config issues are detected by other tools within Aikido's platform.

Aikido cuts through the noise by auto-triaging issues, reducing alert fatigue. Unlike Trivy, which lists every CVE, Aikido flags what's actually exploitable or high-risk. Compared to Snyk, Aikido offers a unified platform with SAST, DAST, and more - all in one interface. It also includes one-click fixes and private threat intel for deeper coverage than either tool typically provides.

No. Aikido is 100% agentless. It scans images by pulling layers directly from your container registry or via CLI/CI integration. There's nothing to install on your infrastructure or inside containers. For stricter environments, an on-prem option exists, but it still doesn't require runtime agents.

Yes. Aikido uses reachability analysis and context-aware prioritization to filter out noise and false positives. It groups duplicate issues, highlights what's exploitable, and adjusts severity based on factors like environment (e.g., production). That way, you focus on what matters most.

Aikido supports most major registries: Docker Hub, AWS ECR, GCP, Azure, GitHub Packages, GitLab, Quay, JFrog, Harbor, and more. Whether your'e in the cloud or on-prem, Aikido can securely connect and scan your container images with minimal setup.