Skip to main content

Announcing the Snyk and Docker Security Guide for Developers

Written by:
wordpress-sync/blog-feature-docker-labels

November 18, 2020

0 mins read

Now that you might be seeing your first scan results for container vulnerabilities, you have likely discovered a few issues… maybe even more than a few! It can be daunting to get a list of 10s or 100s of vulnerabilities when you scan an image. Fear not! to lay the foundations for handling these issues. And we are pleased to announce the release of the Guide to Container Security for Development Teams.

Snyk Container will help you figure out what is in your container images, how a developer—who may not be an expert in container and operating system security pitfalls—can fix these issues, and where you should focus your efforts amidst the many vulnerabilities you might find.

A practical guide, built for developers

There are many best practices lists for building secure containers, but they usually have a single bullet that says something like “Scan for container vulnerabilities”. The concept is good, but the problem is, what do you do once you know about all those vulnerabilities? In fact, this issue of what to do next isn’t unique to just container vulnerabilities, which is one reason our company is named Snyk: “So Now You Know...”!

wordpress-sync/blog-what-to-do-container-vulnerabilities

So now you know you have container vulnerabilities...what do you do about it?

While we believe our products solve some of the technical hurdles, there is an educational aspect for the people and process side that isn’t so easy to just build into a product, and that’s where this guide comes in. We present you with a starting point for a process for handling container vulnerabilities, no matter which tools you use to build or scan container images.

We provide a general overview of the umbrella topic of container security and then dive deeper into the specific area of container image security. Then we outline a process for addressing vulnerabilities in containers, and also some examples of DevSecOps workflows that other organizations have implemented successfully to collaboratively build secure images. We also get into how you can keep your own code secure in a container, why you should use Docker Official images, and how to choose the best base images, from a security perspective.

Hint: our products will help you quite a bit here!

And fear not! It’s not all just a process manual. There are plenty of examples and code as well.

1$> docker build -t hello-python:slim . -f Dockerfile.slim
2[+] Building 0.4s (8/8) FINISHED
3 => [internal] load build definition from Dockerfile.slim                                                                                                               0.0s
4 => => transferring dockerfile: 78B                                                                                                                                     0.0s
5 => [internal] load .dockerignore                                                                                                                                       0.0s
6 => => transferring context: 2B                                                                                                                                         0.0s
7 => [internal] load metadata for docker.io/library/python:slim                                                                                                          0.3s
8 => [1/3] FROM docker.io/library/python:slim@sha256:9ab472fc54e9ed1064c97ff26baa16f3aad8009c03e9adf63d408f39ad3dc983                                                    0.0s
9 => [internal] load build context                                                                                                                                       0.0s
10 => => transferring context: 66B                                                                                                                                        0.0s
11 => CACHED [2/3] WORKDIR /app                                                                                                                                           0.0s
12 => CACHED [3/3] COPY hello.py /app                                                                                                                                     0.0s
13 => exporting to image                                                                                                                                                  0.0s
14 => => exporting layers                                                                                                                                                 0.0s
15 => => writing image sha256:259d236f493082154e71152881754ea50c5bf7b882413bba2b92c356af6bf83a                                                                            0.0s
16 => => naming to docker.io/library/hello-python:slim                                                                                                                    0.0s
17
18$> docker run --rm -it hello-python:slim
19Hello world!
20
21$> snyk container test hello-python:slim --file=Dockerfile.slim
22
23Testing hello-python:slim...
24...
25Package manager:   deb
26Target file:       Dockerfile.slim
27Project name:      docker-image|hello-python
28Docker image:      hello-python:slim
29Platform:          linux/arm64
30Base image:        python:slim
31Licenses:          enabled
32
33Tested 106 dependencies for known issues, found 48 issues.
34
35According to our scan, you are currently using the most secure version of the selected base image

Let us know what you think

We hope this Guide to Container Security for Development Teams is useful to you as you start to build your container image scanning practices. This guide is meant to show best practices, which we can’t do without continued input from our users!

So, if you have a great practice that you think we should cover, please reach out on the Snyk Community site and let us know.

wordpress-sync/blog-feature-docker-labels

Level Up Your CI/CD Pipelines

See how these 8 tips can help you catch security issues in the pipe BEFORE you push to production ⭐️