Scanning ARM container images with Snyk
October 1, 2020
0 mins readARM-based systems are increasingly popular amongst developers, for edge and IoT use cases as well as some server uses with the likes of the AWS Graviton Amazon EC2 instances. Docker provides an increasingly flexible toolset for building container images for multiple architectures. But how do you know those images are secure?
Helping ARM developers secure their containers
Snyk today supports scanning Docker images built for ARM (or, in fact, any other platform). If the tag in question is only built for ARM then it’s as simple as just pointing the Snyk CLI at the image as normal:
snyk container test arm64v8/debian
But some Docker images support multiple platforms, using manifest lists. You can see more about how these are built and published from Docker.
When you have an image like the one above, you can specify the platform you want to test explicitly using the --platform
flag. Here’s an example of using that to test the debian image from Docker Hub:
$ snyk container test --platform=linux/arm64 debian
…
✗ Medium severity vulnerability found in gcc-8/libstdc++6
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558
Introduced through: gcc-8/libstdc++6@8.3.0-6, apt@1.8.2.1, meta-common-packages@meta
From: gcc-8/libstdc++6@8.3.0-6
From: apt@1.8.2.1 > gcc-8/libstdc++6@8.3.0-6
From: apt@1.8.2.1 > apt/libapt-pkg5.0@1.8.2.1 > gcc-8/libstdc++6@8.3.0-6
and 2 more...
✗ High severity vulnerability found in gnutls28/libgnutls30
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-609778
Introduced through: gnutls28/libgnutls30@3.6.7-4+deb10u5, apt@1.8.2.1
From: gnutls28/libgnutls30@3.6.7-4+deb10u5
From: apt@1.8.2.1 > gnutls28/libgnutls30@3.6.7-4+deb10u5
Organization: garethr
Package manager: deb
Project name: docker-image|debian
Docker image: debian
Licenses: enabled
Tested 92 dependencies for known issues, found 54 issues.
Using platform information in Snyk
The information about the platform is also available in the Snyk Project Page if you import ARM images from a container registry like ACR, Docker Hub, ECR or GCR, or adding an image to be tracked by Snyk using snyk container monitor
. You can see the platform in the project metadata.
The platform information is also available for customers in the Snyk API. Whenever you retrieve a container image project you should see the imagePlatform attribute containing the platform.
Next steps
At Snyk we’re really interested in seeing how developers embrace the ARM platform in the next few years, and will be looking for more ways of helping developers to build secure Docker images, whatever platform they choose to build for.
You can try out the new ARM functionality shown above by downloading the latest version of the Snyk CLI.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.