DEV Community

Cover image for A First Look at Docker Scout - A Software Supply Chain Security for Developers
Ajeet Singh Raina for Docker

Posted on • Edited on • Originally published at collabnix.com

A First Look at Docker Scout - A Software Supply Chain Security for Developers

With the latest Docker Desktop 4.17 release, the Docker team introduced Docker Scout. Docker Scout is a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.

How is Docker Scout different from other security tools?

There are various security tools available today in the market. While there are similarities and differences between all tools of this nature, Docker Scout stands out by offering both visibility into the dependencies called in specific layers of the images, and remediation options directly in existing developer workflows. Particularly, Advanced image analysis not only lets you analyze the vulnerabilities in your dependencies but also provides you with remediation options that help you to act quickly.

If a vulnerability is present in the base image, Docker Scout will check for any updated or patched base images and make recommendations to replace the base image. If a vulnerability is present in other layers, Docker Scout will indicate exactly where the vulnerability is introduced, and make recommendations accordingly.

Docker Scout is designed with developers in mind and integrated into Docker. With Docker Scout, spend less time searching for and fixing vulnerabilities, and more time developing your code. Docker is building Docker Scout to sit as a layer on top of the Docker ecosystem to help developers build and maintain a secure software supply chain. Right now, Docker is focussed on helping with vulnerability remediation; we think our CVE-to-package matching (using PURLs to help avoid false positives) and our SBOM-to-CVEdb matching (no need to rescan) are both nice improvements to the current Developer experience.

Image112

What problem does it solve?

  1. In-Context Remediation Recommendations
  2. Understanding your applications’ dependencies & analyzing the vulnerabilities
  3. Unified view into software composition analysis
  4. Artifactory Integration
  5. Event-driven vulnerability updates

1. In-context Remediation recommendations

Docker Scout analyzes the image contents and generates a detailed report of packages and vulnerabilities that it detects. It provides you with suggestions for how you can remediate issues discovered by the image analysis. It also allows you to get base image updates and recommended tags and digests, and filter your images on vulnerability information.

Image3

2. Understanding your applications’ dependencies & analyzing the vulnerabilities

Docker Scout helps you to understand your applications’ dependencies in each layer of your images, whether they’re in your base image or your application code. You can now assess the vulnerabilities presented in each dependency by layer, prioritized by severity.

3. Unified view into software composition analysis

With one view, your application’s direct and transitive dependencies from all layers are visible. This layer-based view not only makes remediation next steps clear, it also builds understanding of image composition.

4. Artifactory Integration

Image4

Docker Scout allows you to pull and view analysis for images from Docker Hub and Artifactory repositories. Integrating Docker Scout with JFrog Artifactory lets you run image analysis automatically on images in your Artifactory registries. This integration is made possible by a monitoring agent. The agent is a standalone service that analyzes images and uploads the result to Docker Scout. You can view the results using the Docker Scout web UI.

Image4

5. Event-driven vulnerability updates

Powered with Docker Scout, vulnerabilities are detected and surfaced on a continuous basis by the event-driven data model. When a new CVE is released, Docker Scout uses your image’s SBOM to check whether there’s a positive correlation between your image and your CVE – so your recommendations are always up to date.

Please note that Docker Scout is an early-access product, and requires a Pro, Team, or Business subscription.

Getting Started with Docker Scout

Pre-requisites

  • Docker Desktop 4.17
  • Requires a Pro, Team, or Business subscription
  • Enable Docker Scout on Docker Hub

Enabling Docker Scout on Docker Hub

  • Login to https://hub.docker.com
  • Choose the organization that contains the repository with the image(s) you want to analyse.
  • Select a repo, and open the "Settings" tab.
  • Under "Image insight settings", choose "Advanced image analysis with Docker Scout."
  • View your image analysis.

Command Line Tool for Docker Scout

Using the CLI, you can analyze images and view the analysis report in text format. You can print the results directly to stdout, or export them to a file using a structured format, such as Static Analysis Results Interchange Format (SARIF).

docker scout

Usage:  docker scout COMMAND

Command line tool for Docker Scout

Commands:
  cves        Display CVEs identified in a software artifact
  version     Show Docker Scout version information

Run 'docker scout COMMAND --help' for more information on a command.
Enter fullscreen mode Exit fullscreen mode

Checking the Version

docker scout version
version: v0.6.0 (go1.19.5 - darwin/arm64)
git commit: aabe2bfd192f7ac8cbfa4afea647b4dc41d3d30d
Enter fullscreen mode Exit fullscreen mode

Displaying CVEs identified in a Software artifact

The docker scout cves command analyzes a software artifact for vulnerabilities. The tool analyzes the provided software artifact, and generates a vulnerability report.

Usage:  docker scout cves [OPTIONS] IMAGE|DIRECTORY|ARCHIVE
Enter fullscreen mode Exit fullscreen mode

Supported Artifacts Types

The following artifact types are supported:

  • Images
  • OCI layout directories
  • Tarball archives, as created by docker save

Images

The tool analyzes the provided software artifact and generates a vulnerability report. By default, the tool expects an image reference, such as:

  • redis
  • curlimages/curl:7.87.0
  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.

Examples:

Display vulnerabilities grouped by package

docker scout cves redis
Analyzing image redis
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 144 packages
    ✗ Detected 19 vulnerable packages with a total of 56 vulnerabilities

  0C   16H    4M    1L  stdlib 1.18.2
pkg:golang/stdlib@1.18.2

    ✗ HIGH CVE-2022-30580 [Improper Control of Generation of Code ('Code Injection')]
      https://dso.docker.com/cve/CVE-2022-30580
      Affected range : >=1.18.0
                     : <1.18.3
      Fixed version  : 1.18.3
      CVSS Score     : 7.8
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
...
...
The image contains 19 packages with one or more vulnerabilities for a total of 50 vulnerabilities
  LOW      | 28
  MEDIUM   | 4
  HIGH     | 18
  CRITICAL | 0
Enter fullscreen mode Exit fullscreen mode

Display vulnerabilities from a docker save tarball

$ docker save redis > redis.tar
Enter fullscreen mode Exit fullscreen mode
docker scout cves --type archive redis.tar
Analyzing archive redis.tar
    ✓ Archive read
    ✓ Image stored for indexing
    ✓ Indexed 144 packages
    ✗ Detected 19 vulnerable packages with a total of 56 vulnerabilities

  0C   16H    4M    1L  stdlib 1.18.2
pkg:golang/stdlib@1.18.2

    ✗ HIGH CVE-2022-30580 [Improper Control of Generation of Code ('Code Injection')]
      https://dso.docker.com/cve/CVE-2022-30580
      Affected range : >=1.18.0
                     : <1.18.3
      Fixed version  : 1.18.3
      CVSS Score     : 7.8
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
....
...


The image contains 19 packages with one or more vulnerability for a total of 50 vulnerabilities
  LOW      | 28
  MEDIUM   | 4
  HIGH     | 18
  CRITICAL | 0
Enter fullscreen mode Exit fullscreen mode

Display vulnerabilities from an OCI directory

$ skopeo copy --override-os linux docker://alpine oci:redis
Enter fullscreen mode Exit fullscreen mode

The skopeo copy command you provided is used to copy container images from one container image registry to another. In this specific example, it is copying the alpine image that is built for the linux operating system from a Docker registry to an OCI image registry, and renaming it as redis.

Here is a breakdown of the command and its options:

  • skopeo copy is the command for copying container images.
  • --override-os linux specifies that the destination image should be built for the linux operating system, regardless of the source image's OS.
  • docker://alpine specifies the source container image registry (docker) and the name of the source image (alpine).
  • oci:redis specifies the destination container image registry (oci) and the new name for the copied image (redis).

In nutshell, this command will copy the alpine image to an OCI registry with the name redis, and ensure that the image is built for the linux operating system. Note that the resulting redis image may have a different size or configuration than the original alpine image, depending on the specific contents of the image and any changes made during the copy process.

skopeo copy --override-os linux docker://alpine oci:redis
Getting image source signatures
Copying blob af6eaf76a39c done
Copying config 62aab729a2 done
Writing manifest to image destination
Storing signatures
Enter fullscreen mode Exit fullscreen mode
docker scout cves --type oci-dir redis 
Analyzing OCI directory redis
    ✓ OCI directory read
    ✓ Image stored for indexing
    ✓ Indexed 19 packages
    ✓ No vulnerable package detected
Enter fullscreen mode Exit fullscreen mode

Export vulnerabilities to a SARIF JSON file

$ docker scout cves --format sarif --output redis.sarif.json redis
Enter fullscreen mode Exit fullscreen mode

References

Top comments (0)