Vulnerability Scanning
Definition
Automated process identifying security weaknesses and known CVEs in cloud infrastructure and container images before attackers exploit them.
Use Cases
- Capital One: Continuous Security Assessment — Automated vulnerability scanning across all EC2 instances and container images as part of CI/CD pipeline (Reduced mean time to remediate critical vulnerabilities from 30 days to 48 hours)
Provider Equivalents
- AWS: Amazon Inspector, ECR Image Scanning
- Azure: Microsoft Defender for Cloud
- GCP: Security Command Center, Artifact Analysis
- OCI: Vulnerability Scanning Service
Frequently Asked Questions
- What types of vulnerabilities can cloud scanners detect?
- Cloud vulnerability scanners detect known CVEs in operating systems and packages, misconfigurations in cloud resources, exposed secrets, insecure network configurations, and compliance violations against standards like CIS benchmarks.
- How often should I run vulnerability scans?
- Best practice is continuous scanning — configure automated scans on every code push, container image build, and at least daily for running infrastructure. Critical assets may warrant real-time monitoring.
Category: security
Difficulty: intermediate
Related Terms
See Also