Hey there,
host vulnerability scanning is a whole different ballgame, albeit just as critical for a ‘defense in depth’ approach. But for now I’ll limit my comments specifically to container images and running instances since thats enough to deal with
It sounds like you are on the right path. The first job is to establish a clear security policy around both vendor provided and custom (internally maintained) images. It is not uncommon for your policy to differ depending on your overall risk appetite (or those of your security team and/or business sponsor). Ultimately it will always be a ‘business risk acceptance’ call. So first off, define what scanning you want to do, when (in the life-cycle), what the policy is in terms of acceptable and non-acceptable risk (typically detection of vulnerabilities within specific severity levels) and then what happens when vulnerabilities are detected and how you evidence that they have been remediated (even if that means ‘won’t fix’).
You also need to think about vulnerabilities (at least) in terms of potential exploits because of the software itself (packages, 3rd party library dependencies, custom application code, etc) and configuration (e.g. risk sensitive data - aka: secrets). Some tools can cover more than one of these (or claim to - caveat emptor !) but most have a primary focus. For example, if you use GitHub, the Dependabot service may cover off SCA (Software Composition Analysis) of your source code whereas GHAS is used for vulnerabilities and secrets. Similarly products like Snyk have separate modules for dependencies, IaC, container, etc.). Invest some time in making sure that you have detailed the vulnerability types you want to mitigate and then compare that against the tools you want to evaluate.
IME, choices around tooling comes afterwards otherwise you are in danger of having your policy dictated by the capability of a particular tool(s). That said, you will typically have to trade off capability against any tooling constraints (many open source tools in this space are very capable but you still get what you pay for to some extent and/or there may be limits on usage or functionality).
In my experience, being consistent both in policy and implementation is probably the most important thing. I would certainly advice against runnning multiple tools although you should abviously do sufficient due dilligence to ensure that the one you select doesn’t ‘paint you into a corner’. That said, as I hinted at above, you may need more than one to ensure you cover off all vulnerability types, just make sure you are clear about what you are using each tool for and ignore any overlaps.
I’ll stop for now because I’m sure you would much rather hear about specific tech than security policy. I too am always drawn to the allure of tech, but unfortunately someone has to describe the context in which security will be applied. Its boring, but ultimatley more important and has a much greater shelf-life than the latest ‘shiny’ tool Such is the lot of a Security Eng (my last position).
I chip-in later if there seems like a reason too.