This integration is configured through the Invicti ASPM product.
Container security overview
What is container security scanning?
Container security scanning inspects container images for vulnerabilities, misconfigurations, exposed secrets, and license risks. Scanning images in container registries and Kubernetes clusters helps teams identify and remediate security issues before containers are deployed to production.
Invicti AppSec Core includes a preconfigured Invicti Container Security scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own container scanning tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
Container security scanners analyze the contents of container images to build a complete inventory of their components. The scanning process includes:
- OS package analysis — identifies vulnerabilities in operating system packages installed in the image.
- Dependency scanning — detects known vulnerabilities in application-level libraries and dependencies within the container.
- Secrets detection — finds credentials, API keys, and other sensitive data embedded in container images.
- Configuration checks — flags insecure configurations such as containers running as root, missing resource limits, or missing health checks.
- SBOM generation — produces Software Bills of Materials in CycloneDX and SPDX formats for container images.
What it can discover
Container security scanning detects risks across the following categories:
| Category | Examples |
|---|---|
| Vulnerable OS packages | Outdated or known-vulnerable packages within the container image |
| Application dependency vulnerabilities | CVEs in libraries and frameworks bundled in the image |
| Exposed secrets | Hardcoded credentials, API keys, tokens, and certificates |
| Misconfigurations | Containers running as root, missing resource limits, elevated privileges |
| License risks | Open-source license issues within container components |
| Outdated base images | Base images that are no longer maintained or missing critical security patches |
Supported container security scanners
The following container security integrations are available through Invicti ASPM:
| Scanner | Type | Authentication |
|---|---|---|
| Trivy | Docker | — |
| Trivy Operator | Kubernetes integration | — |
| Snyk Container | Connection | API token |
| Amazon Inspector CS | Connection | AWS credentials |
| Qualys CS | Connection | Basic auth |
| Armo Security | Connection | API token |
| CrowdStrike Falcon Container | Connection | API token |
| Lacework Container Security | Connection | API token |
| Prisma Cloud Compute CS | Connection | Basic auth |
| Red Hat Advanced Cluster Security | Connection | API token |
Choosing a container security scanner
| If you need… | Consider |
|---|---|
| Open-source / no license cost | Trivy, Trivy Operator |
| Kubernetes-native scanning | Trivy Operator, Red Hat Advanced Cluster Security, Armo Security |
| AWS-native scanning | Amazon Inspector CS |
| Enterprise cloud security platform | Prisma Cloud Compute CS, CrowdStrike Falcon, Lacework |
| Developer-friendly SaaS | Snyk Container |
Need help?
The Invicti Support team is ready to provide technical assistance. Go to Help Center