Container security is a distinct discipline from VM security. The image build process, the runtime configuration, and the orchestration layer each present different attack surfaces.
Minimal base images
The smallest attack surface starts with the smallest base image. Distroless images (from Google) contain only the application runtime and its dependencies, no shell, no package manager, no unnecessary system utilities. An attacker who achieves code execution in a distroless container cannot run a shell to explore the filesystem or install tools. Alpine Linux is the common minimal base for interpreted languages; for compiled binaries, scratch (empty base image) is the minimal choice.
Non-root container execution
Running containers as root is the default unless explicitly overridden. A process running as root in a container has root access to the host in many non-default configurations. The security standard: every container should run as a non-root user. Dockerfile: USER 1001 (a non-root UID). Kubernetes PodSecurityContext: runAsNonRoot: true, runAsUser: 1001. Container runtime seccomp profiles restrict the system calls the container can make.
Image scanning in CI
Container image scanning (Trivy, Clair, Anchore, and cloud provider equivalents like Azure Container Registry's integrated scanning) identifies known vulnerabilities (CVEs) in base image packages and application dependencies. Integrating image scanning into the CI pipeline with a policy that fails builds on high/critical CVEs catches vulnerabilities before images reach production. The challenge is managing the volume of findings, the policy should require remediation of actionable high/critical findings, not zero-CVE as a gate.
Runtime security monitoring
Static image scanning does not detect runtime attacks. Runtime security tools (Falco, Aqua Security, Sysdig Secure) monitor container behaviour: system calls made, files accessed, network connections established. Rules fire when a container exhibits unexpected behaviour: spawning a shell, modifying sensitive files, making unexpected outbound connections. Runtime security is the last layer of defence after image hardening and admission control.