Ever wondered how to navigate the travesties of security pitfalls, package integrities, and protection of our Docker images?
While Docker has made the developer’s life easy, there is still something crucial to take care of when we are dockerising our code.
Why? Because our container images are made up of many different layers of softwares, packages, and potentially other images too. And just like any software, our images are vulnerable to potential security threats ranging from as simple as an outdated package to a major slip up in external images.
Fortunately, Docker has released a scanning tool - Docker Scout - that helps us gain insights into the contents of a container image and accordingly fix them. The best part is that it can integrate with any CI pipeline we have including GitHub actions, Circle CI, GitLab, etc
Let’s get started 🐳
You can watch the video here about Docker Scout.
How to use Docker Scout with Docker CLI?
Firstly, we need to have Docker installed on our system - that means installing the CLI for it and the Docker Desktop app for our OS.
Confirm the installation with this command - docker –version; if it returns a version number similar to the below image, we are good to go.
And make sure to have Docker Desktop up and running as well.
Now, check using the CLI, if Docker Scout is available in the list of commands - and it should be 🤓
Type docker scout –help and we should get the below help information -
As we can see, there are many commands available, but there are two very important commands worth noting, and which we will be using extensively -
docker scout quickviewdocker scout cves
As you might have guessed, CVE stands for Common Vulnerabilities and Exposures, and this command helps us identify or “scout” for issues in our images. It does this by comparing with the huge database of recorded vulnerabilities and security issues stored in Docker. We can see the complete list of these CVEs by visitinghttps://dso.docker.com/explore.
We can filter these CVEs by Image or Package or Vulnerability name if we are aware of them.
And as for the quickview command, just like the name suggests, it helps us get details about an image or package.
Let’s do a scout of the first most vulnerable image - storm:latest (as can be seen in the right side of the above image). Run docker scout quickview storm
We can see that the CLI returned a nice tabular view of the details of this Docker image. There are 55 “Critical” dependencies as marked in red colour, 123 “High”, 109 “Medium”, and 24 “Low” rankings of vulnerabilities.
But it’s more fun to actually use Docker Scout on our own existing application isn’t it? Here, I have opened a project folder within VS Code with the necessary dockerfiles -
So now that we have this basic setup ready, let us first build the project with Docker.
Type the command docker build -t image_name
Replace image_name with the name of your image; here I have used the name “mern”, as it can be seen below -
Once the command is executed, we can see that all the steps we have defined in our Dockerfile will be followed exactly as it is - it installs Node v.18 along with the required dependencies, and once this image is available, we can check for the vulnerabilities.
First, let’s run the command docker images to list all the available images in our system -
Here, we have the image “mern” available since we ran it just a moment ago. And now, let’s run the command docker scout quickview mern on our image.
Aaand.. Voila! There we have it. Docker Scout has detected 2 “Critical” vulnerabilities, 3 “High”, 14 “Medium”, and 89 “Low” ones.
And now, we can run docker scout cves mern to exactly see which package or layer created these vulnerabilities!
There we go! Now we have in-depth details about each vulnerability, sorted by package and layer according to the contents of our image.
As you can see, the command not only gives the name of the package that has the vulnerability, but also the correct “fixed” version of the same to help us in updating to the latest stable, secure version.
But there are also instances where many packages or images are not yet fixed even though they may have critical vulnerabilities, like so -
In such cases, rather than getting confused by the large list of vulnerabilities, we can use a flag --only-fixed with the Docker Scout command to shorten the list to a more fixable list. Here’s how to do it -
This will ONLY list out the fixable vulnerabilities where a stable/fixed version of it is available. In our example, openssh, mongoose, etc all have “fixed” versions that are not vulnerable anymore so we can easily upgrade these in our project’s package manager.
And here’s how I upgraded the mongoose package vulnerability easily -
Next, we can run the same command docker build -t image_name_2 to build a new image of the same project, and then run docker scout cves image_name_2 –only-fixed and we will find that the list is considerably shorter than before!
How to use Docker Scout with Docker Desktop app?
Since Docker desktop app provides a very fluid GUI, it is much more visually pleasing for those who prefer to not use the CLI. Open the Docker app and we should be able to see the local Docker images listed like so -
And once we click on the image, which is “mern” in this case, we can see the entire list of vulnerabilities presented similar to the CLI but more visual -
We can even filter the list by checking the checkbox labeled “Fixable packages” and this will function in a similar way to that of the flag we used earlier - --only-fixed.
There is an interesting option in the Docker app which is the “Recommended Fixes” option.
Once we click on the Recommended Fixes dropdown, we can see an option for “Recommendations for base image”. Click on that, and we will get this page where Docker recommends a fix for the base image node. As we can see, the current image node is 18, but the recommended options are 20, 21, etc.
How to use this recommendation?
Well, it’s quite simple! Scroll down on that recommendation page in the app, and we will see this below line to be added in our Dockerfile. Just copy and paste it like so -
And once we have updated the base image node, we can just run the command docker build -t image new_image and now we will see the same image listed among the local images in Docker app.
And here’s the magic of Docker Scout - the number of vulnerabilities came down from 100+ to just 24 🤩Yes, that’s the power of Docker Scout.
Your Docker image is now that much more secure, powerful, and vulnerable-free compared to your previous build!
No more bumping the heads against the wall trying to track down which package is destroying your app or which version to fix; simply use Docker Scout and let the magic happen 🎉
And in case you prefer watching this in video format, I have made a detailed video on Docker Scout and its usage on my channel here - What is Docker Scout?
Please subscribe to my newsletter https://bitfumes.com/newsletters
Top comments (0)