How to use Docker Security Scan Locally

Docker and Snyk recently entered into a partnership to provide container vulnerability scanning. What does this mean for you? Snyk is now integrated with Docker Hub to scan official images. Additionally, Docker has integrated the Snyk scanning directly into Docker Desktop clients.

Previous to the Snyk partnership, we had no easy way to scan container vulnerabilities locally. Instead, we had to build our application and already push it to our Git repository for the vulnerability scanning to occur.

The best practice is to push Security as far left as possible. What do I mean by "Push Left"? The first time I heard this term was during a presentation at DevOpsDay Zurich by Tanja Janca, aka SheHacksPurple. The idea of pushing left is integrating Security as early in the development process as possible. The earlier we can start security checks, the cheaper and more efficient it is for the organization.

Docker Scan pushes left to the point of our local development environment. From a DevSecOps perspective, this is an outstanding achievement. We can catch Security vulnerabilities locally before pushing any code.

Tanja Janca Push Left <--

How does Docker Scan work?

Docker included a new command in 2.3.6.0 or later versions called docker scan. When running the `docker scan` command, scans local images against the Snyk security engine, providing you with security visibility into your local Dockerfiles and local images.

The Snyk engine scans the images or Dockerfiles for Common Vulnerabilities and Exposures (CVEs) and provides recommendations for CVE remediations.

How to initiate a Docker Scan

From the Docker CLI, we can initiate a vulnerability scan.

  1. Ensure you have Docker version 2.3.6.0 or later installed
  2. Pull a the Mongo Database image for testing docker pull mongo:latest
  3. Run a scan against the Mongo image docker scan mongo:latest
  4. Review the results of the scan
docker scan mongo:latest

How to initiate a Docker Scan on an Image and reference a Dockerfile

What is the difference between scanning an image and scanning an image and referencing a Dockerfile? When including the Dockerfile associated with the image provides even more detailed results.

  1. Clone the linux_tweet_app demo application git clone https://github.com/vegasbrianc/linux_tweet_app.git
  2. Build and tag the image: docker build -t linux_tweet_app:1.0 .
  3. Scan the image: docker scan linux_twee_app:1.0
docker scan no Dockerfile reference

Now, rerun the scan this time, referencing the Dockerfile that we built with the image.

  1. Scan the image and reference the Dockerfile: docker scan -f Dockerfile linux_tweet_app:1.0
docker scan with Dockerfile reference

Notice that the results now indicate which layer in the Dockerfile is responsible for which vulnerabilities.

Docker scan output options

We have a few different options regarding viewing the output of the docker scan. You can view the results in either JSON format or as a dependency tree. I must admit the dependency tree is beneficial in figuring out the structure of your image.

Docker scan summary

Pushing left will help your organization spot CVE's before they ever hit your Development or Test environments. As mentioned previously, the more we can push Security left, the more time and money we save our organization. The graph below provided by the National Institute of Standards and Technology says bugs (which also applies to vulnerabilities) found in development cost $80 to fix. In contrast, vulnerabilities that make it to production cost $7600 to fix.

Docker scan helps us push left, find, and squash vulnerabilities sooner, saving us time and money. Happy days! Now celebrate all the time and money we will be saving!

The Economic Impacts of Inadequate Infrastructure for Software Testing report May 2002 NIST
Brian Christner

Brian Christner

Brian is a nominated member of the Docker Captain’s program and a seasoned DevOps engineer specializing in Docker, Cloud Native, DevOps, and Monitoring.
Switzerland