Vulnerability scanning for Docker
Today we use a lot of docker. It enables developers to package application into containers, A standardized
executable component combining application source code with OS libraries and dependencies required to
run code in any environment. We create the docker image and distribute it to others but how sure are we if that image is secure enough and doesn't have any vulnerability?
Suppose you have an image which has lot of vulnerabilities and that is being used in your production system. Then any hacker can find those weaknesses in your system and can exploit easily. So identifying the vulnerabilities in your image is very important part for the security of your system.
Vulnerability scanning
Vulnerability scanning is the process of identifying the security weakness and flaws in the system. This is an integral part of vulnerability management program which is to protect organizations from data breach.
Vulnerability scanning for docker local images allow teams to review the security state of the container images and take actions on fixing issues identified during scan.
Docker scan runs on Snyk engine. It is providing users the visibility into the security standards of their Dockerfiles and images. Users triggers vulnerability scans through CLI and use the CLI to view the results. The scan results contain the list of common vulnerabilities and exposures also called as CVEs.
I recommend upgrading to latest version to Docker scan tool.
Let's check the options available for docker scan using help command.
docker scan --help
docker scan --help
Usage: docker scan [OPTIONS] IMAGE
A tool to scan your images
Options:
--accept-license Accept using a third party scanning provider
--dependency-tree Show dependency tree with scan results
--exclude-base Exclude base image from vulnerability scanning (requires --file)
-f, --file string Dockerfile associated with image, provides more detailed results
--group-issues Aggregate duplicated vulnerabilities and group them to a single one (requires --json)
--json Output results in JSON format
--login Authenticate to the scan provider using an optional token (with --token), or web base token if empty
--reject-license Reject using a third party scanning provider
--severity string Only report vulnerabilities of provided level or higher (low|medium|high)
--token string Authentication token to login to the third party scanning provider
--version Display version of the scan plugin
Now you can see all the options available with docker scan. Let's check the version using below command.
docker scan --accept-license --version
So if you have version earlier that v0.11.0 then docker scan is not able to detect log4j-CVE-2021-44228.
You must update you docker desktop to 4.3.1 or higher.
How to scan
You can docker scan command just by passing the image name.
Above command will provide you a report on terminal about your scan.
Scan images during Development and Production
Creating an image from Dockerfile or rebuilding it can introduce new vulnerabilities in the system. So scanning the image during the development process should be a normal workflow. You can automate this process like:
image_building ==> docker scan image ==> Push to dockerhub/private registry
For Production system, whenever there is new vulnerability discovered, running the scan can always be a better idea to detect that vulnerability in your system. Periodically scanning of container should be a good choice.
Ending thoughts
Building secure images is continuous process. Consider all the best practices to build an efficient, scalable and secure images. Start with your base images and always remember to choose images from official and verified publisher. Because you don't know what's inside that image.
Note: If you think this helped you and you want to learn more stuff on devops, then I would recommend joining the Kodecloud devops course and go for the complete certification path by clicking this link
No comments:
Post a Comment