A step-by-step guide to scanning container images for vulnerabilities directly within Snowpark Container Services (SPCS). The setup uses grype wrapped in a bash script that authenticates via SPCS built-in token auth, runs as a SPCS job, deposits JSON scan results into a Snowflake stage, and auto-ingests them via Snowpipe into a table. Results are enriched with company-specific asset inventory data (environment, team, criticality) and a priority score combining KEV status, EPSS score, and CVE severity. A companion Streamlit app visualizes the findings. The approach avoids storing external credentials in CI/CD by running the entire pipeline inside SPCS.
Table of contents
TL;DRProcess overviewPrerequisitesScanner imageGet Vladimir Timofeenko’s stories in your inboxSample image uploadRunning the scanner jobResults pipelineViewing results in StreamlitConclusionPotential improvementsSort: