Container and image scanning for a platform-as-a-service system

What is claimed is: 1. A method, comprising: initiating, by a processing device executing a scan component of a multi-tenant Platform-as-a-Service (PaaS) system, a scan process to scan containers executing on the multi-tenant PaaS system, the containers executing functionality of multiple applications that are owned by multiple owners; for each container of the containers: identifying portions of an application image instance of the container, the portions corresponding to previously-scanned clean layers of the application image instance; scanning, by the processing device in accordance with the scan process, remaining portions of the application image instance not associated with the previously-scanned clean layers; and responsive to a clean result of the scanning of the remaining portions of the application image instance, terminating, by the processing device, the scan process for the container and allowing the container having the application image instance to execute. 2. The method of claim 1 , further comprising responsive to a failure result of the scanning of a top layer of the application image instance, reporting a failure of the scan process to a monitoring component of the multi-tenant PaaS system and preventing the container having the application image instance from executing. 3. The method of claim 2 , further comprising in response to the failure result, transmitting a takedown signal to one or more nodes executing the containers having the application image instance. 4. The method of claim 1 , wherein the scanning to detect patterns defined by a definition file of the scan process. 5. The method of claim 4 , wherein the clean result comprises no patterns detected in the layers of the container image. 6. The method of claim 1 , further comprising in response to an absence of the clean result for at least one of the remaining layers: repeating the scanning for each of the at least one of the remaining layers; and storing a result of the scanning for each of the at least one of the remaining layers in a central scan store. 7. The method of claim 6 , further comprising receiving, at the central scan store, at least one of other image scan results or communications from computing devices managed by entities external to the multi-tenant system. 8. The method of claim 1 , wherein a result of the scanning comprises at least an identifier comprising a checksum of the scanned layer of the application image instance, an identification of the scan process, a version of a definition file used by the scan process, and the result of the scan process. 9. A system, comprising: a memory; a processing device communicably coupled to the memory, the processing device to: execute a scan component of a multi-tenant Platform-as-a-Service (PaaS) system; initiate, by the scan component, a scan process to scan containers executing on the multi-tenant PaaS system, the containers executing functionality of multiple applications that are owned by multiple owners; for each container of the containers: identify portions of an application image instance of the container, the portions corresponding to previously-scanned clean layers of the application image instance; scan, in accordance with the scan process, remaining portions of the application image instance not associated with the previously-scanned clean layers; and responsive to a clean result of the scanning of the remaining portions of the application image instance, terminate the scan process for the container and allowing the container having the application image instance to execute. 10. The system of claim 9 , wherein the processing device is further to, responsive to a failure result of the scanning of a top layer of the application image instance, report a failure of the scan process to a monitoring component of the multi-tenant PaaS system and prevent the container having the application image instance from executing. 11. The system of claim 10 , wherein the processing device is further to, in response to the failure result, transmit a takedown signal to one or more nodes executing the containers having the application image instance. 12. The system of claim 9 , wherein the scanning to detect patterns defined by a definition file of the scan process, and wherein the clean result comprises no patterns detected in the layers of the container image. 13. The system of claim 9 , wherein the processing device is further to, in response to an absence of the clean result for at least one of the remaining layers: repeat the scanning for each of the at least one of the remaining layers; and store a result of the scanning for each of the at least one of the remaining layers in a central scan store. 14. The system of claim 13 , wherein the processing device is further to receive, at the central scan store, at least one of other image scan results or communications from computing devices managed by entities external to the multi-tenant system. 15. The system of claim 9 , wherein a result of the scanning comprises at least an identifier comprising a checksum of the scanned layer of the application image instance, an identification of the scan process, a version of a definition file used by the scan process, and the result of the scan process. 16. A non-transitory machine-readable storage medium including instructions that, when accessed by a processing device, cause the processing device to: initiate, by the processing device executing a scan component of a multi-tenant Platform-as-a-Service (PaaS) system, a scan process to scan containers executing on the multi-tenant PaaS system, the containers executing functionality of multiple applications that are owned by multiple owners; for each container of the containers: identify portions of an application image instance of the container, the portions corresponding to previously-scanned clean layers of the application image instance; scan, by the processing device in accordance with the scan process, remaining portions of the application image instance not associated with the previously-scanned clean layers; and responsive to a clean result of the scanning of the remaining portions of the application image instance, terminate, by the processing device, the scan process for the container and allowing the container having the application image instance to execute. 17. The non-transitory machine-readable storage medium of claim 16 , wherein the instructions further cause the processing device to, responsive to a failure result of the scanning of a top layer of the application image instance, report a failure of the scan process to a monitoring component of the multi-tenant PaaS system and prevent the container having the application image instance from executing. 18. The non-transitory machine-readable storage medium of claim 16 , wherein the scanning to detect patterns defined by a definition file of the scan process. 19. The non-transitory machine-readable storage medium of claim 16 , wherein the instructions further cause the processing device to, in response to an absence of the clean result for at least one of the remaining layers: repeat the scanning for each of the at least one of the remaining layers; and store a result of the scanning for each of the at least one of the remaining layers in a central scan store. 20. The non-transitory machine-readable storage medium of claim 16 , wherein a result of the scanning comprises at least an identifier comprising a checksum of the scanned layer of the applicatio