Docker security scanning

Docker security scanning cheatsheet 2021

Docker has an enormous worldwide user base, recently surpassing 10 million users and 242 billion image pulls and has changed the way applications are built. 

With the accelerated development velocity that containerization enables, additional security responsibilities are shifting to developers, who now need to maintain container images in addition to their code. That’s why a developer-friendly Snyk integration with Docker is invaluable in today’s security landscape.

At SnykCon 2020, we announced the integration of Snyk-powered container scanning in the latest version of Docker Desktop. This followed our news that Snyk would become the security provider for Docker’s Official Images and that Snyk security scanning would be integrated directly into Docker Hub.

We’ve created a Docker Vulnerability Scanning CLI cheatsheet, to help you get started scanning your container images with Docker Desktop and Snyk, and below we have a few tips to get you started.

Docker security scanning

Step 1: make sure your version of Docker Desktop is up to date

Docker Desktop has included Snyk’s scanning capabilities for a few months now, but in case you haven’t updated in a while or you aren’t sure if you have the Snyk components, here’s how you can check.

Via the CLI
The docker scan command will be available. 
Docker Desktop “About”
If you see the little Snyk icon and version info, you all set
$ docker scan --help
Usage: docker scan [OPTIONS] IMAGE A tool to scan your images

Step 2: get logged in!

To start scanning, you need to have a Docker ID and be logged in via Docker Desktop. You’ll get 10 free container images tests per month. But you can get 200 scans per month if you login to Snyk as well. The Snyk login is integrated with your Docker ID so even if you don’t currently have a login with Snyk, it’s simple to get going.

$ docker scan --login

If you want to authenticate with an API token instead, be sure to include the --token flag and your token as the flag argument. You can find your Snyk API token under Settings –> Service Accounts within the Snyk console.

Signing up for Snyk also unlocks additional open source security scanning features for your dependencies, configuration files, and more. See our recent talk about how Snyk integrates throughout the entire software development lifecycle (SDLC), including integrated developer environments (IDEs), source code management (SCM), continuous integration, and continuous development (CI/CD) platforms, and more.

Step 3a: Docker scan your first container image

With the basic docker scan myapp:mytag command, you can scan a single Docker image for vulnerabilities. There are a number of additional flags you can include to produce more granular results, which are detailed below.

Step 3b: scan your image along with your Dockerfile

The --file path/to/Dockerfile option is one of the most generally useful options. By including the Dockerfile you can get base image upgrade recommendations for Docker Official base images, and the vulnerabilities will be mapped to the Dockerfile commands that introduced them. 

Step 4: filter your scan results

The --exclude-base flag, which must be used with the –file flag, will ignore any vulnerabilities that originate from the base image so you can focus on remediating issues within your own container image.

The --dependency-tree flag will include a package dependency tree along with the vulnerability scan results to make tracking down the source of issues even easier.

The --json flag allows you to control the scanning results output. With the jq tool, you can then parse and filter the JSON results based on the following keys:

  • packageName: name of the top-level package
  • severity: rating based on common vulnerability scoring system (CVSS)
  • id: identifier within Snyk’s vulnerability database
  • name: name of the vulnerability binary
  • version: version installed in the container image 
  • nearestFixedInVersion: minimum version required to remediate a vulnerability
  • dockerfileInstruction: line where the vulnerable package was introduced in Dockerfile
  • dockerBaseImage: parent image that was detected

The steps above will get you started with container security, but if you want a handy way to remember and want to see more examples, the Docker CLI cheatsheet is your best reference guide. The Docker container scanning CLI is a simple, yet powerful tool for detecting and remediating vulnerabilities early in the development process. This Docker-native solution can be run immediately after you build so that issues are resolved before the image is even pushed to Docker Hub. If you have questions or you’ve come up with a clever use case, we’d love to hear from you on the Snyk Community site.