Docker and Snyk recently entered into a partnership to provide container vulnerability scanning. What does this mean for you? Snyk is now integrated with Docker Hub to scan official images. Additionally, Docker has integrated the Snyk scanning directly into Docker Desktop clients.

Previous to the Snyk partnership, we had no easy way to scan container vulnerabilities locally. Instead, we had to build our application and already push it to our Git repository for the vulnerability scanning to occur.

The best practice is to push Security as far left as possible. What do I mean by "Push Left"? The first time I heard this term was during a presentation at DevOpsDay Zurich by Tanja Janca, aka SheHacksPurple. The idea of pushing left is integrating Security as early in the development process as possible. The earlier we can start security checks, the cheaper and more efficient it is for the organization.

Docker Scan pushes left to the point of our local development environment. From a DevSecOps perspective, this is an outstanding achievement. We can catch Security vulnerabilities locally before pushing any code.

How does Docker Scan work?

Docker included a new command in 2.3.6.0 or later versions called docker scan. When running the `docker scan` command, scans local images against the Snyk security engine, providing you with security visibility into your local Dockerfiles and local images.

The Snyk engine scans the images or Dockerfiles for Common Vulnerabilities and Exposures (CVEs) and provides recommendations for CVE remediations.

How to initiate a Docker Scan

From the Docker CLI, we can initiate a vulnerability scan.

1. Ensure you have Docker version 2.3.6.0 or later installed
2. Pull a the Mongo Database image for testing docker pull mongo:latest
3. Run a scan against the Mongo image docker scan mongo:latest
4. Review the results of the scan

How to initiate a Docker Scan on an Image and reference a Dockerfile

What is the difference between scanning an image and scanning an image and referencing a Dockerfile? When including the Dockerfile associated with the image provides even more detailed results.

1. Clone the linux_tweet_app demo application git clone https://github.com/vegasbrianc/linux_tweet_app.git
2. Build and tag the image: docker build -t linux_tweet_app:1.0 .
3. Scan the image: docker scan linux_twee_app:1.0

Now, rerun the scan this time, referencing the Dockerfile that we built with the image.

1. Scan the image and reference the Dockerfile: docker scan -f Dockerfile linux_tweet_app:1.0

Notice that the results now indicate which layer in the Dockerfile is responsible for which vulnerabilities.

Docker scan output options

We have a few different options regarding viewing the output of the docker scan. You can view the results in either JSON format or as a dependency tree. I must admit the dependency tree is beneficial in figuring out the structure of your image.

Docker scan summary

Pushing left will help your organization spot CVE's before they ever hit your Development or Test environments. As mentioned previously, the more we can push Security left, the more time and money we save our organization. The graph below provided by the National Institute of Standards and Technology says bugs (which also applies to vulnerabilities) found in development cost $80 to fix. In contrast, vulnerabilities that make it to production cost $7600 to fix.

Docker scan helps us push left, find, and squash vulnerabilities sooner, saving us time and money. Happy days! Now celebrate all the time and money we will be saving!

FAQ: How to Use Docker Scan

1. What is Docker Scan and why should I use it?

Docker Scan is a tool integrated with Docker to help identify security vulnerabilities in your Docker images. Using Docker Scan helps ensure your applications are secure by detecting potential risks early in the development process.

2. How do I install Docker Scan?

Docker Scan is included with Docker Desktop starting from version 20.10. Simply update to the latest version of Docker Desktop to get Docker Scan. For CLI users, ensure you have the latest Docker CLI version to access Docker Scan.

3. How do I use Docker Scan to analyze an image?

To analyze a Docker image, use the command docker scan <image_name>. This will initiate a scan and provide a detailed report on any vulnerabilities found in the image, along with recommendations for remediation.

4. What types of vulnerabilities can Docker Scan detect?

Docker Scan can detect various types of vulnerabilities, including those related to outdated software packages, insecure configurations, and potential exploit paths. It leverages the Snyk vulnerability database to provide up-to-date and comprehensive security information.

5. How can I improve my Docker image security based on scan results?

To improve Docker image security, follow the recommendations provided in the Docker Scan report. This may include updating software packages, removing unnecessary components, and following best practices for Docker image creation and maintenance.

Follow me

If you liked this article, Follow Me on Twitter to stay updated!