The previous parts secured the code and the infrastructure. This part secures the container image — the thing that actually runs in production. When you build a Docker image, you're not just shipping your application. You're shipping the entire base image underneath it — the OS, the system libraries, the package manager, all of it. Every CVE in those packages is now your problem. Code repo: https://github.com/pkkht/devsecops-demo/ What container scanning is Container scanning analyses a built Docker image for known vulnerabilities. It inspects the OS layer, every installed package, and the application dependencies, then cross-references each one against public CVE databases. The key insight: most of the vulnerabilities in a container image come from the base image, not from the application code. Choosing an old or full base image can introduce hundreds of vulnerabilities before you've written a single line of your own code. The tool: Trivy Trivy is an open source vulnerability scanner from Aqua Security.…