hands-on lab

Scanning Container Images for Known Vulnerabilities

Up to 30m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Container images are an essential part of modern application deployments. Comprised of a collection of software components and libraries, container images can contain vulnerabilities and security weaknesses. These vulnerabilities can be exploited by attackers to gain unauthorized access to the container, the host operating system, and the underlying infrastructure.

Container image scanning tools can identify the vulnerabilities in images for you to acknowledge and determine what is an appropriate course of action be it updating library versions, choosing a different base image, or accepting the identified risks.

This lab focuses on the Trivy scanning tool by Aqua Security. Trivy is highlighted as a reference tool in the Certified Kubernetes Security Specialist (CKS) exam. You will learn how to scan images with Trivy and filter findings by severity in this lab. You will also apply what you learn to identify critical vulnerabilities in a sample application deployed in Kubernetes.

Learning objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Use Trivy to scan container images for vulnerabilities
  • Scan images running a Kubernetes cluster
  • Employ strategies to reduce the number of vulnerabilities in container images running in your Kubernetes cluster

Intended audience

  • Candidates for the Certified Kubernetes Security Specialist (CKS) exam
  • DevOps Engineers
  • Security Practitioners


Familiarity with the following will be beneficial but is not required:

  • Kubernetes Pods
  • kubectl output formatting

The following content can be used to fulfill the prerequisites:


October 13th, 2023 - Updated Kubernetes version


Environment before

Environment after

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Connecting to the Kubernetes Cluster
Using Trivy to scan for vulnerabilities in container images
Scanning Pod container images in a Kubernetes namespace