Docker Desktop with Snyk and new Docker Vulnerability Cheat Sheet available
Following hot on the heels of our release of container scanning in Docker Hub and our big SnykCon announcement of Snyk becoming the official security provider for Docker’s own Official Images, today we’re pleased to announce that the Docker and Snyk integration in Docker Desktop has graduated to the Docker Desktop Stable release, opening up the ability to scan and fix container issues for millions of Docker users!
With this release, all Docker Desktop users can use the new `docker scan` command to analyze their container images on their desktop. Paired with the scanning capabilities we’ve also built into Docker Hub, this provides a simple inner loop for container security testing that also enables teams to confidently share images with each other and stay on top of container vulnerabilities. The new feature is available in today’s Docker Desktop release for both Windows and MacOS!
To help you get started, we’ve prepared a few resources, including our Docker CLI Cheat Sheet.
Snyk security embedded in Docker Desktop
The integration between Snyk and Docker puts developer-focused container security scanning directly in your Docker tools. With it, you can now scan containers for vulnerabilities immediately after your build, straight from Docker Desktop, using a simple command:
docker scan <image-name>
This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to Docker Hub or other registries you may use.
The Snyk-powered vulnerability scans are a little different than what you might be used to seeing from other vulnerability scans. Aside from simply listing all the issues, Snyk’s goal is to guide developers toward action:
- By including the Dockerfile along with the image through the
--file <path/to/Dockerfile>option, the results from
docker scaninclude details on how to select a more recent and/or smaller base image with fewer vulnerabilities.
- In addition, vulnerabilities are mapped to the Dockerfile instruction that introduced them, along with the relevant dependencies needed to track down an issue and take care of it.
Choosing a secure base image
In the example below, we used
docker scan to scan an image and pass the Dockerfile to the scan. In the video, we’ve highlighted the base image recommendations. In many cases, selecting a more secure base image is typically the simplest fix with the highest security impact.
Finding and fixing container vulnerabilities in user layers
Once you make a decision about the best base image for your use case, you might want to ignore issues that are from the base image so you can focus on vulnerabilities you’re introducing in your own container layers. There is a very simple option to do just that:
docker scan <image_name:tag> --file path/to/Dockerfile --exclude-base
--exclude-base option ignores any vulnerabilities coming from the base image so you can focus on the other layers of the container image.
Advanced filtering options
Want to get fancier? The
docker scan command can produce JSON formatted results, so you can filter the details in just about any manner you’d like. For example, instead of the result above, where you get a listing of each vulnerability, maybe you just want to get a list of the Dockerfile instructions that are introducing vulnerabilities? Try this:
> docker scan my-image:tag --file path/to/Dockerfile --exclude-base --json | jq '[.vulnerabilities.dockerfileInstruction] | unique' [ "RUN apt-get update && apt-get install -y git vim sqlite3 && rm -rf /var/lib/apt/lists/*"]
That command filters out all the base image vulnerabilities and creates JSON output (
--exclude-base --json), then uses the separate
jq tool to filter the vulnerabilities by unique Dockerfile instruction and displays only the Dockerfile instruction. Of course, there’s much more you can do with filtering options—for more ideas, the Docker CLI Cheat Sheet is a handy resource.
Scanning your code, scanning running containers in clusters, and securing your workload configurations
Securing the container is just one part of the full security picture for today’s application, and that’s where the full functionality of Snyk shines. Signing up for a free Snyk account opens you up to additional features beyond just container vulnerability scanning. With a Snyk account, you can extend your scanning scope beyond Security issues in your containers:
- Scan your applications’ open source dependencies for security and license compliance issues.
- Analyze your containers as they’re launched in Kubernetes clusters for security and configuration risks and automatically monitor your images over time so that as new container vulnerabilities are disclosed you will know if your Production workloads are at risk.
- Check Kubernetes YAML, Terraform deployment definitions, and Helm charts for insecure configurations.
- Integrate Snyk into SDLC stages between Docker Desktop and Hub, including your SCM repositories and CI/CD pipelines.
There is a free usage tier available when you sign up with Snyk so you can try our functionality.
Learn more about Docker Desktop, powered by Snyk
Snyk recently wrapped up our first SnykCon user event, which Docker sponsored. You can watch “Securing Containers Directly from Docker Desktop” with Justin Cormack, Docker security lead, and Danielle Inbar, Snyk product manager.