Techniques for security scanning of containers executing within VMs. A virtualization system maintains container disk files that store data for containers. The container disk files are stored separate from, and not included within, virtual machine disk files that store data for the virtual machines. To scan data for any particular container, a scanning module scans the container disk file associated with the container. If a threat is found, a container scan catalog is updated to indicate this fact. A container may be disconnected from the network if identified security threats cannot be removed from the container. An entire VM may be disconnected from the network if all containers within the VM have threats that cannot be cleaned. The use of container disk files for security threat scanning allows for data for individual containers to be scanned.