Docker and Snyk recently entered into a partnership to provide container vulnerability scanning. What does this mean for you? Snyk is now integrated with Docker Hub to scan official images. Additionally, Docker has integrated the Snyk scanning directly into Docker Desktop clients.
Previous to the Snyk partnership, we had no easy way to scan container vulnerabilities locally. Instead, we had to build our application and already push it to our Git repository for the vulnerability scanning to occur.
The best practice is to push Security as far left as possible. What do I mean by "Push Left"? The first time I heard this term was during a presentation at DevOpsDay Zurich by Tanja Janca, aka SheHacksPurple. The idea of pushing left is integrating Security as early in the development process as possible. The earlier we can start security checks, the cheaper and more efficient it is for the organization.
Docker Scan pushes left to the point of our local development environment. From a DevSecOps perspective, this is an outstanding achievement. We can catch Security vulnerabilities locally before pushing any code.
How does Docker Scan work?
Docker included a new command in 22.214.171.124 or later versions called
docker scan. When running the `docker scan` command, scans local images against the Snyk security engine, providing you with security visibility into your local Dockerfiles and local images.
The Snyk engine scans the images or Dockerfiles for Common Vulnerabilities and Exposures (CVEs) and provides recommendations for CVE remediations.
How to initiate a Docker Scan
From the Docker CLI, we can initiate a vulnerability scan.
- Ensure you have Docker version 126.96.36.199 or later installed
- Pull a the Mongo Database image for testing
docker pull mongo:latest
- Run a scan against the Mongo image
docker scan mongo:latest
- Review the results of the scan
How to initiate a Docker Scan on an Image and reference a Dockerfile
What is the difference between scanning an image and scanning an image and referencing a Dockerfile? When including the Dockerfile associated with the image provides even more detailed results.
- Clone the linux_tweet_app demo application
git clone https://github.com/vegasbrianc/linux_tweet_app.git
- Build and tag the image:
docker build -t linux_tweet_app:1.0 .
- Scan the image:
docker scan linux_twee_app:1.0
Now, rerun the scan this time, referencing the Dockerfile that we built with the image.
- Scan the image and reference the Dockerfile:
docker scan -f Dockerfile linux_tweet_app:1.0
Notice that the results now indicate which layer in the Dockerfile is responsible for which vulnerabilities.
Docker scan output options
We have a few different options regarding viewing the output of the docker scan. You can view the results in either JSON format or as a dependency tree. I must admit the dependency tree is beneficial in figuring out the structure of your image.
Docker scan summary
Pushing left will help your organization spot CVE's before they ever hit your Development or Test environments. As mentioned previously, the more we can push Security left, the more time and money we save our organization. The graph below provided by the National Institute of Standards and Technology says bugs (which also applies to vulnerabilities) found in development cost $80 to fix. In contrast, vulnerabilities that make it to production cost $7600 to fix.
Docker scan helps us push left, find, and squash vulnerabilities sooner, saving us time and money. Happy days! Now celebrate all the time and money we will be saving!