14.1.1.5 Production Image Scan
A focused guide to Production Image Scan, connecting core concepts with practical Docker and container operations.
Production image scan verifies a container image is free of known, significant vulnerabilities before it's deployed to production, a final, automated check ensuring whatever's about to run in the production environment hasn't carried forward an unaddressed, exploitable weakness.
Running a Scan Before Production Deployment
A scan step gates deployment specifically on the absence of severe findings.
docker scout cves myapp:1.0 --exit-code --only-severity critical,high
deploy-production:
steps:
- run: docker scout cves myapp:${{ github.sha }} --exit-code --only-severity critical
- run: ./deploy.sh production myapp:${{ github.sha }}
A failing scan halts the pipeline before the deployment step ever runs, preventing a vulnerable image from reaching production.
Why Scanning Should Happen Again Immediately Before Production Deployment
Even if an image was scanned earlier in the pipeline, a newly disclosed vulnerability affecting an already-built image's dependencies could emerge between that earlier scan and the actual production deployment — a final scan immediately before deployment catches this specific timing gap.
docker scout cves myapp:${{ github.sha }} --only-severity critical,high
Reviewing Findings That Don't Block Deployment
Lower-severity findings, while not blocking this specific deployment, should still be tracked and addressed on an appropriate timeline.
docker scout cves myapp:1.0 --format json > production-scan-results.json
Establishing a Process for Handling a Newly Discovered Vulnerability in a Running Image
Beyond the pre-deployment scan, periodically re-scanning already-deployed images catches a vulnerability disclosed after that image was originally deployed, prompting a timely update.
docker scout cves registry.example.com/myapp:production
Why Production Image Scan Matters
A dedicated, gating scan immediately before production deployment, combined with periodic re-scanning of already-running images, provides ongoing assurance that production never knowingly runs an image with an unaddressed, significant vulnerability.