Our website:https://aws-image-scanner.netlify.app/
A production-grade DevSecOps platform for scanning Docker containers and images for vulnerabilities (CVEs). Built with a microservices architecture, this system provides real-time scanning, risk scoring, and a modern dashboard for security assessment.
The Container Vulnerability Scanner automates the security auditing of container images. It leverages Trivy as the underlying scanning engine but wraps it in a scalable, distributed architecture suitable for enterprise deployment.
Problem Solved: Manual security scanning is slow and lacks visibility. This tool creates a centralized dashboard to track, audit, and remediate container vulnerabilities before deployment.
The system follows a strictly decoupled microservices pattern:
graph LR
User[User/Browser] --> Ingress[NGINX Ingress]
Ingress --> Front[Frontend (React)]
Ingress --> API[Backend API (FastAPI)]
API --> DB[(PostgreSQL)]
API --> Queue[Job Queue]
Queue --> Worker[Scanner Worker]
Worker --> Trivy[Trivy Engine]
Worker --> DB
- API Service (FastAPI): Handles requests, manages scan lifecycle, and serves data.
- Worker Service: Asynchronous worker that pulls images and executes Trivy scans.
- Frontend (React + Tailwind): Interactive dashboard for visualization and reporting.
- Database (PostgreSQL): Stores scan results, vulnerability details, and audit logs.
- Orchestration: Fully containerized and deployed via Kubernetes.
- 🔍 Deep Vulnerability Scanning: Detects OS packages and application dependency vulnerabilities using Trivy.
- ⚡ Real-Time Updates: Asynchronous scanning with live status updates (Pending → Pulling → Scanning → Completed).
- 📊 Interactive Dashboard: Visual breakdown of Critical, High, Medium, and Low risks.
- 🐳 Multi-Source Support: Scan images from Docker Hub, private registries, or upload
.tarfiles directly. - 🛡️ Risk Scoring: Automated calculation of image security posture scores.
- ☁️ Cloud Native: Designed for Kubernetes (EKS/Kind) with GitOps (ArgoCD) support.
- Docker & Kubernetes (Kind or Minikube)
- kubectl
- ArgoCD (Optional, for GitOps)
We provide an automated script to set up the entire stack in minutes.
- Clone the repository:
git clone https://github.com/yourusername/cloud-vuln.git
cd "cloud - vuln"
- Install Dependencies:
chmod +x install-tools.sh
sudo ./install-tools.sh
- Deploy Cluster:
chmod +x start-k8s.sh
./start-k8s.sh
- Access the Dashboard:
- Frontend:
http://localhost:3000(via port-forward) - API:
http://localhost:8000
To deploy this project on AWS Elastic Kubernetes Service (EKS):
- Push Images to ECR:
aws ecr create-repository --repository-name vulnscan-backend
# Build and push commands (see deployment guide)
- Create EKS Cluster:
eksctl create cluster --name vulnscan-prod --node-type t3.medium --nodes 2
- Apply Manifests:
Update
k8s/*.yamlimages to your ECR URI and apply:
kubectl apply -f k8s/
- Open the Dashboard.
- Enter the image name (e.g.,
nginx:1.14orpostgres:latest). - Click Scan.
- Watch the progress bar as the worker pulls and scans the image.
- Save your local image:
docker save my-app:v1 -o my-app.tar. - Click the Upload icon on the dashboard.
- Drag & drop the
.tarfile.
Full Swagger/OpenAPI documentation is available at:
http://localhost:8000/docs
| Component | Technology | Description |
|---|---|---|
| Backend | Python 3.11, FastAPI | High-performance async API |
| Frontend | React 18, Vite, Tailwind | Modern, responsive UI |
| Database | PostgreSQL 15 | Relational data & JSONB storage |
| Scanning | Trivy (Aqua Security) | Vulnerability detection engine |
| DevOps | Docker, Kubernetes, ArgoCD | Container orchestration & CI/CD |
| Testing | Pytest, HTTPX | Comprehensive test suite |
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is intended for educational and defensive security purposes only. Ensure you have permission to scan the container images you target.