Critical Security Gap: Container Images Deployed Without Vulnerability Scanning, Exposing Infrastructure to Known CVEs

A critical security gap has been identified in the deployment pipeline, where container images are being deployed without any vulnerability scanning, signature verification, or registry authentication. This leaves the infrastructure exposed to known CVEs, supply chain attacks, and potential malicious payloads. The current state reveals a complete absence of documented scan results, with images pulled directly from Docker Hub without credentials and no policy in place to block vulnerable or compromised images.

The lack of scanning and verification creates multiple high-risk vectors. The primary risk is the deployment of images containing known, documented vulnerabilities (CVEs). Furthermore, without registry authentication or signature verification, there is no defense against supply chain attacks, making it impossible to verify the origin or integrity of an image. This gap also directly impacts compliance, as standard security audits require documented vulnerability assessments, which are currently non-existent.

To address this, a two-phase remediation plan is required. Phase 1 focuses on enabling immediate image scanning by configuring the Trivy tool for local scans before deployment and integrating a `make scan` command into the build process. This must be coupled with CI/CD integration to automatically block deployments that contain critical-severity vulnerabilities. Phase 2 involves moving to a more secure supply chain by configuring a private or trusted image registry with built-in scanning capabilities, such as Docker Hub Advanced or Quay.io, to establish a verifiable and controlled source for all container images.