Scan Container Images for Vulnerabilities with Docker Scout
The security of your containers builds on a foundation formed from the images you use. If you work with an image rife with vulnerabilities, your containers will be vulnerable. On the contrary, if you build your containers on a solid foundation of secure images, those containers will be more secure by default (so long as you follow standard best practices).
Every container developer who’s spent long enough with the likes of Docker and Kubernetes understands this idea. The issue is putting it into practice. Fortunately, there are plenty of tools available for scanning images for vulnerabilities. One such tool is Docker Scout, which was released in early preview with Docker Desktop 4.17. The tool can be used either from the Docker Desktop GUI or the command line interface and offers insights into the contents of a container image.
What sets Docker Scout apart from some of the other offerings is that it not only will display CVEs but also the composition of the image (such as base image and update recommendations). In other words, anyone who depends on Docker should consider Scout a must-use.
I’m going to show you how to use Docker Scout from both the Docker Desktop GUI and the Docker command line interface.
What You’ll Need
To use Docker Scout, you’ll need Docker Desktop installed, which is available for Linux, macOS, and Windows. When you install Docker Desktop it will also install the Docker CLI tool. If you prefer the command line, I’ll first show you how to install the latest version of Docker CE (Community Edition). You’ll also need a user with sudo (or admin) privileges.
How to Install Docker CE
The first thing we’ll do is install Docker CE. I’ll demonstrate on Ubuntu Server 22.04, so if you use a different Linux distribution, you’ll need to alter the installation commands as needed.
If you’ve already installed Docker or Docker Desktop, you can skip these steps.
First, add the official Docker GPG key with the command:
|
1 |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg |
Next, add the Docker repository:
|
1 |
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null |
Install the required dependencies with the command:
|
1 |
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release git -y |
Update apt with:
|
1 |
sudo apt-get update |
Finally, we can install the latest version of the Docker CE runtime engine:
|
1 |
sudo apt-get install docker-ce docker-ce-cli containerd.io -y |
Next, you must add your user to the docker group with the command:
|
1 |
sudo usermod -aG docker $USER |
Log out and log back in for the changes to take effect.
How to use Docker Scout from Docker Desktop
The first method I’ll demonstrate is via the Docker Desktop GUI. When you open Docker Desktop, you should see Docker Scout listed in the left navigation. Do take note the feature is currently in early access. Once early access closes, you’ll need either a Docker Pro, Team, or Business subscription to use the feature. Until then, however, the feature is free to use on Docker Desktop.
Click Docker Scout and you’ll see the Analyze Image button and a drop-down where you can select the image you want to scan. If you don’t see the image you want to scan in the drop-down, you’ll need to pull it by typing the image name in the Search field at the top of the Docker Desktop window, click the Images tab in the resulting popup, and then click Pull (Figure 1).
-
Figure 1: Pulling the official NGINX image with Docker Desktop.
Once the image is pulled, go back to Docker Scout, select the image from the drop-down, and click Analyze Image (Figure 2).
-
Figure 2: Analyzing the latest NGINX image.
Depending on the size of the image, the analysis shouldn’t take too much time. When it completes, it will report back what it finds. For example, with the nginx:latest image, it found zero vulnerabilities or other issues (Figure 3).
-
Figure 3: The nginx:latest image is clean.
On the other hand, a quick scan of the Rocky Linux minimal image comes up with 16 vulnerabilities, all of which are marked as High. After that scan, click View Packages and CVEs to reveal the detailed results. You can expand each entry to view even more results (Figure 4).
-
Figure 4: Click Fixable Packages to see what packages have issues you can easily mitigate.
How to Run Docker Scout from the CLI
If you prefer the command line, Docker Scout has you covered. Let’s examine the NGINX image. There are four main commands you can use with Docker Scout CLI, which are:
docker scout compare– Compares two images and displays the differences.docker scout cves– Displays the CVEs identified for any software artifacts in the image.docker scout quickview– Displays a quick overview of an image.docker scout recommendations– Displays all available base image updates and remediation recommendations.
Let’s run the quickview command on the latest NGINX image. That command looks like this:
|
1 |
docker scout quickview nginx:latest |
The results will reveal any CVEs found in your images, the base image, and the updated base image (Figure 5).
-
Figure 5: The quickview results for the nginx:latest image.
The results will also offer you other commands you can run on the image to get more details, such as:
|
1 2 |
docker scout cves nginx:latest docker scout recommendations nginx:latest |
I would highly recommend running the recommendations command because it gives you quite a lot of important information about the image.
And that’s the gist of using Docker Scout from both the Docker Desktop GUI and the CLI. If you’re serious about the security of your containers, you should start using this tool right away.