With regard to application life cycle management, vulnerability scanning is important. There are many vulnerability scanning tools, but a tool I came into contact a while back that can do this is Trivy. Other tools are probably excellent as well, but what I like about Trivy is that it can be run as an operator in your Kubernetes cluster, and scan every workload you run (in your test environment for example). I prefer this setupas opposed to to running vulnerability scans during builds for several reasons:

• New security issues also show up when something hasn’t been released for a long time (because new flaws get discovered): Some components may go weeks or months without being released.
• Not everything that runs in production is necessarily built by yourself.
• Trivy does not only scan your executable, but the entire image: vulnerabilities in image libraries are found as well.
• Only production(like) workloads are scanned, so build and testing libraries are kept out of scope.

So how to set this up? What we've done myself, in general terms:

• We’ve installed Trivy in our test environment (running scans consumes resources, and we don’t want to burden production).
• The scanner inspects containers and also detects vulnerabilities in Java, Go, … libraries that reside inside the container.
• It can (configurably) scan each namespace, each image, every 24 hours, or whenever there’s a new deployment.
• Drawback: The operator has no UI (that’s apparently only in the premium version). It produces Kubernetes objects called “vulnerability reports.” You can nonetheless build a Prometheus dashboard (and optional alerts) based on the counts. I added prometheus alerts for High and Critical alerts.
• Trivy can scan for cluster configuration vulnerabilities as well. This helped us to more safely configure our Helm charts.

For detailed instructions, one should visit the Trivy website. All in all, the Trivy Cluster operator can be a helpful tool in your life cycle management flow. I recommend it!