Search Call 1-800-383-5193 Emergency Contact
Client

NDA Protected Technology Client

Services used

DevOps Management
See similar case studies

How We Blocked Vulnerable Docker Images Before Production With Trivy and OWASP

As a fast-growing healthcare SaaS provider serving thousands of users daily, the existing application delivered the speed and scalability the business needed, but security was slipping through the cracks. The client sought more than just tools, looking for a clear strategy and a trusted partner to take ownership of the cloud security pipeline. Their key concerns were ensuring the safety of containers, following compliance rules, and deploying applications securely in Azure.
Bobcares Helped a Hosting Giant Hear Its Customers
Case Study Section

Business Challenge

A healthcare SaaS provider on Azure AKS faced critical security alerts after vulnerable Docker images reached production due to a lack of pre-deployment scanning.

Tech Stack

Azure AKS ACR Azure DevOps Trivy OWASP Dependency-Check Azure Monitor

Blueprint

The DevOps team enhanced the Azure DevOps pipeline by embedding OWASP Dependency Check and Trivy to scan application dependencies and container images. Builds now undergo automated scans for dependencies and container images, approval gates block high-risk vulnerabilities, and Azure Monitor provides constant monitoring.

web

DevOps Management

Download Case Study

The Client

A healthcare SaaS provider running its core platform on Azure Kubernetes Service has built a strong foundation for rapid growth. The system was designed for agility, delivering frequent updates to thousands of daily users.

But inside the pipeline, a critical weakness went unnoticed. With no automated security checks in place, every release carried the risk of deploying vulnerable Docker images.

The vision was clear. The process needed control.

The Challenge

Security alerts started flooding in when CrowdStrike Falcon flagged multiple high-risk vulnerabilities in production. The source was quickly identified as outdated base images and unscanned application dependencies that had made their way into Azure Container Registry and into live Kubernetes workloads.

Key issues included:

  • No image or dependency scanning before deployment
  • No automated approval gates to prevent vulnerable code from shipping
  • A reactive response process with security tools flagging vulnerabilities only after production deployment.

Why Bobcares

The critical gaps between deployment speed and security readiness showed that the client needed a partner who could deliver more than technical fixes. A team capable of embedding security deep into the CI/CD pipeline was essential to ensure every release remained clean and compliant.

Bobcares was chosen for expertise in Azure DevOps, container security, and pipeline automation. The goal was clear:

  • Integrate security scanning at every stage of the pipeline
  • Establish standardized checks for images and dependencies
  • Guarantee that no container image would reach production without a verified clean scan report

What We Delivered

Discovery & Analysis

The process began with a full audit of the Azure DevOps pipelines, reviewing build and release stages for both backend and frontend workloads. Every build step, every dependency, every image path was mapped to uncover weak points and risks.

Designing the Framework

Trivy was selected for image and infrastructure scanning and OWASP Dependency-Check for application-level vulnerabilities. Together, these tools delivered full coverage across code, images, and configurations.

Building the Pipeline

  • Pre-build scans checked application dependencies, automatically blocking builds if high-severity CVEs were found
  • Post-build scans analyzed the Docker image, ensuring updated secure base images were always used
  • Scan reports were generated, archived in Azure Blob Storage, and integrated into monitoring dashboards
  • Approval gates ensured no build could advance to production without a clean report
  • Weekly summaries were delivered to both DevOps and security teams, keeping everyone aligned

The Launch

In just two weeks, the new security pipeline went live. Builds flowed smoothly, timelines stayed on track, and for the first time, production deployments passed without a single CrowdStrike alert.To strengthen the process further, developers were trained to run local scans before committing code, minimizing disruptions during builds.

The Results

Metric

Before

After
Vulnerabilities detected in production Yes Zero
Deployment approval process Manual & reactive Dev ENV Automated & manual in UAT & PROD
Time to detect vulnerabilities Post-deployment (hours/days) Pre-deployment (minutes)
Security tool coverage None pre-deployment 100% builds scanned

The Business Impact

With security checks embedded directly into the workflow, the results were clear:

  • Zero vulnerabilities flagged post-deployment
  • Instant detection of high-risk CVEs in minutes, not days
  • Automated approval workflows across environments
  • Complete visibility through centralized Azure dashboards
  • A development team educated and engaged in maintaining secure pipelines

What’s Next

The next phase focuses on strengthening security coverage across the entire environment. The plan includes integrating Trivy’s Kubernetes cluster scanning for real-time monitoring of AKS workloads, extending vulnerability checks to Infrastructure-as-Code templates such as ARM, Bicep, and Terraform, and implementing Dependabot to automate library updates alongside OWASP checks for continuous protection.

Where It Comes Together

This was about building a secure, repeatable process that supports growth without sacrificing control. Bobcares delivered clear visibility, predictable pipelines, and a foundation trusted for every future deployment.