Explain Image Registries and Scanning.

Image registries and scanning is the process of storing container images in a secure registry and scanning them for vulnerabilities, misconfigurations, and malicious code before deployment.

When to Use

• Running Docker/Kubernetes in production
• Enforcing supply chain security in CI/CD pipelines
• Meeting compliance standards (PCI, SOC2, HIPAA)
• Centralizing and controlling image distribution across teams

Example

A developer pushes a Python app image to a registry. The scanner detects a critical CVE in the base image, blocking deployment until fixed.

Want to strengthen your fundamentals?

Explore:

• Grokking System Design Fundamentals
• Grokking the Coding Interview
• Mock Interviews with ex-FAANG engineers

Why Is It Important

• Reduces risk of breaches and zero-days
• Enforces compliance and audit readiness
• Ensures only trusted, signed images run in production

Interview Tips

• Differentiate registry (storage/distribution) vs scanner (security check)
• Describe the workflow: build → scan → sign → store → deploy
• Mention tools like Trivy, Clair, Grype and policies such as blocking images with critical vulnerabilities

Trade-offs

• Pros: Governance, security, reproducibility, compliance
• Cons: False positives, CI/CD slowdowns, licensing costs, base image maintenance overhead

Pitfalls

• Scanning only “latest” tags
• Not rescanning when new CVEs emerge
• Ignoring OS vs application dependencies
• Skipping signature verification or embedding secrets