Home/Glossary/Container Image

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

DevSecOpsAlso called: "docker image", "oci image", "container template"

Container images are immutable templates used to create container instances. They consist of layered filesystems built from a base image.

Image components

  • Base image: Operating system layer (Alpine, Ubuntu, Distroless).
  • Dependencies: Libraries, frameworks, runtime environments.
  • Application code: Your compiled or interpreted application.
  • Configuration: Environment variables, config files.
  • Metadata: Labels, exposed ports, entrypoint commands.

Security considerations

  • Base image selection: Minimal images reduce attack surface.
  • Vulnerability scanning: Scan images for known CVEs.
  • Image signing: Verify image integrity and provenance.
  • Secret management: Never bake secrets into images.
  • Non-root users: Run processes as non-privileged users.

Best practices

  1. Use specific version tags, not latest.
  2. Choose minimal base images (Alpine, Distroless).
  3. Multi-stage builds to exclude build tools.
  4. Scan images in CI/CD before pushing to registry.
  5. Implement image lifecycle policies (expire old images).
  6. Sign images with Cosign or Notary.

Common vulnerabilities

  • Outdated base images with unpatched OS packages.
  • Vulnerable application dependencies.
  • Exposed secrets in image layers.
  • Running as root user.
  • Unnecessary packages increasing attack surface.

Related Tools

Related Articles

View all articles
📄

Serverless Showdown: Cloudflare Workers vs Lambda vs Cloud Functions vs Azure Functions

A deep technical comparison of serverless compute platforms — Cloudflare Workers, AWS Lambda, Google Cloud Functions, and Azure Functions — covering runtime architecture, cold starts, programming models, pricing, and the edge vs region debate.

Read article →
📄

Containers & Compute Compared: Cloudflare Workers/Containers vs AWS ECS/EKS vs Azure AKS vs Google GKE

A deep technical comparison of container and compute platforms — Cloudflare's edge compute model vs AWS ECS/EKS/Fargate, Azure AKS/Container Apps, and Google GKE/Cloud Run. Architecture, orchestration, pricing, and when containers vs edge isolates vs serverless containers win.

Read article →
Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.

Read article →
AWS Fargate Explained: Serverless Containers Without Managing Servers

AWS Fargate Explained: Serverless Containers Without Managing Servers

Learn what AWS Fargate is, how it compares to EC2 for containers, pricing considerations, and when to use Fargate vs ECS on EC2. Complete guide for decision-makers.

Read article →

Explore More DevSecOps

View all terms

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

Read more →

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary