A method of container and image scanning includes receiving, by a processing device executing a node of a multi-tenant Platform-as-a-Service (PaaS) system, a pluggable scan process to scan containers of the multi-tenant PaaS system to detect patterns indicative of threats to the multi-tenant PaaS system, installing, by the processing device, the pluggable scan process at the node, scanning, by the processing device via the pluggable scan process at the node, a top layer of an application image instance used to launch a container at the node without scanning remaining layers of the application image instance, and in response to the scanning generating a clean result, terminating, by the processing device, the pluggable scan process for the container.