Re: If they pass the bug scans, IT ops can deploy the images to production systems as containers.
> @AC how long do you expect a container to run for? Why would I periodically rescan something designed from the ground up to redeploy repeatedly.
Who knows - it could be running for months. Not everybody eats the agile/devops daily release mantra.
But the point is, it's not even necessary to scan every container! Rather, you scan the master image which it was spawned from.
Hence if you have 1000 containers running from the same image, you only need to scan one; and the scanning should take place on your repository, not the production servers, so has no service impact.
All you need to do is to track which containers were spawned from which images. If the master image is no longer being used by any running containers, then it can be garbage-collected anyway.