Docker Scout is an advanced image analysis by docker (Deprecating docker scan). As you may already know, images are made up of many layers stacked together. The software packages embedded in the layers might have weaknesses that could make your image vulnerable to attacks.
Scout can help you find vulnerabilities, alert you, and suggest ways to make your images and supply chain safer.
Notes:
The Docker Scout free plan gives you unlimited local image analysis and up to 3 remote repositories.
There is a 3 GB size limit on images analyzed by Docker Scout in Docker Desktop.
Let’s see this in practise
On the previous article we talked about key points that will be needed to understand how scout works, you can find it here!
So to start we’re going to use the latest buildkit and builx to build and image with the attestation SBOM included (Software Bill of Materials) which contains the information about of packages used in the image.
To begin, we will use the latest versions of buildkit and builx to create an image with the Software Bill of Materials (SBOM).
FROM node:18
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 8080
CMD [ "node", "server.js" ]docker buildx b . -t fabiosegredo/scout:1.0.2 --sbom=1 --provenance=1 --pushAlright image created and pushed to Docker Hub, let’s now scout the image for vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures.
docker scout cves fabiosegredo/scout:1.0.0
The scout will detect all vulnerabilities (unfiltered) in the image, whether it is from an installed packaged or base image. This will result in the amount of vulnerabilities detected.
Structure of vulnerabilities
It provides us with the vulnerability ID, affected versions, and fixed version, enabling us to take appropriate measures to mitigate this vulnerability.
Let’s say we’re only responsible for the installed packages and not the base image, so we’d like to list the vulnerabilities that aren’t in the base image. (option — ignore-base)
docker scout cves fabiosegredo/scout:1.0.2 - ignore-base
It went down to 2 vulnerabilities, and since the only package we installed extra faz the express:4.17.1, let’s update it following the fixed version 4.17.3, build and scout it again.
},
"dependencies": {
"express": "4.17.1"
}
#AFTER
},
"dependencies": {
"express": "4.17.3"
}
we’ve now fixed the vulnerabilities related with the installed packages.
The vulnerabilities in your base image should be aware of and not overlooked. Scout can also help us in this case with the command docker scout reccomendations.
docker scout recommendations fabiosegredo/scout:1.0.2It will give you some extra information about your base image and a few recommendations. Baes on our Dockerfile heres what we’ve got.
1- Information about the base image
2- Informs you weather you are used an updated version
3- List of base images you might consider to use instead and it’s details, and vulnerabilities compared to your base image.
In this case, i’ve received 3 recommendations, being the best one the tag 20-slim.
Pros:
- Less vulnerabilities 73 ( -67 low, -6 Medium)
- Smaller by 302 Mb
- Contains fewer packages
CI Pipelines
This feature is usefull to incorporate in your CI pipelines.
Pre-requisites:
- Docker scout cli
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s — -b /usr/local/bin’ - Updated buildx and buildkit
Build your image with buildx and the flag — sbom and then scout it with the flag — exit-code and — only-severity to specify which vulnerabilities you will be targetting
docker-scout cves $IMAGE_TAG --exit-code --only-serverity critical,highDocker Desktop
You can also analyze and view recommendations via Docker Desktop UI.
The same info we got from the cli will be presented in a more attractive way, allowing you to navigate through the layers and check out the vulnerabilitiea, as well as the URL for each cve for more in-depth info.
