What are customers seeing when they scan your images?

Picture this: You finally sign that deal with the huge account your company has been chasing. From nurturing the relationship to successfully managing the POC, your teams have been working tirelessly to get everything in tip-top shape for this strategic customer.

As a security-focused, well-established enterprise, they decide not to go with your cloud-based offering since their data (which likely includes their customer's data as well) is highly sensitive – they prefer it to have it in a more controlled, on-premise environment. So, you give them your image, and they scan it – just like they do with every other image that enters their registry or cloud.

And then… they pop up. The CVEs. Tons of them.

The customer contacts you immediately – not happy. They tell you it’s unacceptable. While your team has done everything to keep your own app code (which you live, breathe, and know better than anyone) as clean as possible, the base image that it’s sitting on (which you don't live, breathe, or know that well) is dirty. And it’s making you look bad.

So now, you have two choices: Try to fix the CVEs (which is extremely hard given that it’s not your code) and justify every single remaining vulnerability (and repeat this every time you give the customer a new version) or risk losing the customer altogether. Not too appealing, huh?

In this article, we’ll dive into why this happens and what you can actually do about it.

Why customers scan your images

When enterprise customers request your container images (or virtual machines) and run them on-premise, your images become part of their security perimeter, under their responsibility to monitor and secure.

And in these environments, scrutiny is especially high. Because, as we all know, the risk of a security breach is incredibly massive at this level – which is why so much budget goes into preventing it.

Security scanning is an essential tool in preventing such risks. Tools like Trivy, Grype, and built-in scanners from CNAPP products like Wiz or Palo Alto inspect container images to identify known vulnerabilities listed in public databases like the NVD (National Vulnerability Database) list. And while only a percentage of security findings present real risk, in the customer’s eyes, any vulnerability that appears is cause for concern.

How to handle CVEs

And when it comes to scanning, false positives are incredibly common. Sometimes a package is technically vulnerable, but the way you’re using it doesn’t expose that vulnerability. Yet scanners, just  customers, don’t look at context – it’s a simple yes or no, and in this case they will flag it – so now you’re stuck justifying something that isn’t even a real issue.

What exactly does justifying entail?

• Assessing the context: First, you need to determine if the vulnerability is exploitable in your environment. Sometimes, a CVE only applies under specific conditions that you don’t use.
• Evaluating the impact: The next step involves considering whether the vulnerable component is actively used in your application.
• Providing documentation: If you need to justify a CVE, you must carefully document why it’s not a threat, referencing security sources and compensating controls.
• Communicating with the customer: Finally, you’ll have to present this information to your customer, which can be time-consuming and still lead to dissatisfaction.

What you can do to stay clean

To avoid friction and the heavy justification process during a customer scan, there are a few things you should be doing proactively:

1. Scan on your side first. Don’t wait until a customer runs a scan. Be proactive about scanning all of your images throughout development and in production. This way, you can triage and resolve issues and be prepared to justify the nonthreatening ones that may still appear in the scans.
2. Use secure components from the start. Build with hardened, minimal, up-to-date base images. A clean foundation is the surest way to produce clean scans.
3. Keep things clean over time. Security isn’t a one-and-done effort. Either put in place a process to continuously manage and update your images, or choose a trusted provider who will handle it for you.

The takeaway?

If you find yourself concerned about what your scans reveal, it's a sign that something needs to change. Security should be baked in not bolted on. If you want to ship secure software, start with secure images, stay proactive, and avoid surprises when your customers run their scans.