We are excited to release an important new capability – container image layer visibility.
A Docker build consists of a series of ordered build instructions. A layer, or image layer, is a change in an image, or an intermediate image. Every command specified (FROM
, RUN
, COPY
, etc.) in a Dockerfile causes the previous image to change, thus creating a new layer.
This new capability provides a detailed breakdown of each container image by:
- Highlighting specific image layers
- Identifying image changes between layers
- Pinpointing the introduction layer for every package
Understanding and tracking container image layers is crucial for identifying when and where vulnerabilities were first introduced and can also be used to discover package drifts related to packages installed outside the base image layer.
In addition to layer visibility and the ability to pinpoint vulnerabilities origins, you can also use this capability for:
1. Streamlined scans of large images, leveraging our ability to break the scan per layer
2. More efficient scans that only scan the last layer
3. Faster and easier scanning for your organization
Use this capability for increased transparency into your running container images, helping you rapidly identify and track how image layers introduce or resolve vulnerabilities and how this impacts your overall cloud security.