Snyk Blog

Announcing the Snyk and Docker Security Guide for Developers

Written by:
Jim Armstrong
Jim Armstrong
wordpress-sync/blog-feature-docker-labels

November 18, 2020

0 mins read

Now that you might be seeing your first scan results for container vulnerabilities, you have likely discovered a few issues… maybe even more than a few! It can be daunting to get a list of 10s or 100s of vulnerabilities when you scan an image. Fear not! to lay the foundations for handling these issues. And we are pleased to announce the release of the Guide to Container Security for Development Teams.

Snyk Container will help you figure out what is in your container images, how a developer—who may not be an expert in container and operating system security pitfalls—can fix these issues, and where you should focus your efforts amidst the many vulnerabilities you might find.

A practical guide, built for developers

There are many best practices lists for building secure containers, but they usually have a single bullet that says something like “Scan for container vulnerabilities”. The concept is good, but the problem is, what do you do once you know about all those vulnerabilities? In fact, this issue of what to do next isn’t unique to just container vulnerabilities, which is one reason our company is named Snyk: “So Now You Know...”!

wordpress-sync/blog-what-to-do-container-vulnerabilities

So now you know you have container vulnerabilities...what do you do about it?

While we believe our products solve some of the technical hurdles, there is an educational aspect for the people and process side that isn’t so easy to just build into a product, and that’s where this guide comes in. We present you with a starting point for a process for handling container vulnerabilities, no matter which tools you use to build or scan container images.

We provide a general overview of the umbrella topic of container security and then dive deeper into the specific area of container image security. Then we outline a process for addressing vulnerabilities in containers, and also some examples of DevSecOps workflows that other organizations have implemented successfully to collaboratively build secure images. We also get into how you can keep your own code secure in a container, why you should use Docker Official images, and how to choose the best base images, from a security perspective.

Hint: our products will help you quite a bit here!

And fear not! It’s not all just a process manual. There are plenty of examples and code as well.

1$> docker build -t hello-python:slim . -f Dockerfile.slim
2[+] Building 0.4s (8/8) FINISHED
3 => [internal] load build definition from Dockerfile.slim                                                                                                               0.0s
4 => => transferring dockerfile: 78B                                                                                                                                     0.0s
5 => [internal] load .dockerignore                                                                                                                                       0.0s
6 => => transferring context: 2B                                                                                                                                         0.0s
7 => [internal] load metadata for docker.io/library/python:slim                                                                                                          0.3s
8 => [1/3] FROM docker.io/library/python:slim@sha256:9ab472fc54e9ed1064c97ff26baa16f3aad8009c03e9adf63d408f39ad3dc983                                                    0.0s
9 => [internal] load build context                                                                                                                                       0.0s
10 => => transferring context: 66B                                                                                                                                        0.0s
11 => CACHED [2/3] WORKDIR /app                                                                                                                                           0.0s
12 => CACHED [3/3] COPY hello.py /app                                                                                                                                     0.0s
13 => exporting to image                                                                                                                                                  0.0s
14 => => exporting layers                                                                                                                                                 0.0s
15 => => writing image sha256:259d236f493082154e71152881754ea50c5bf7b882413bba2b92c356af6bf83a                                                                            0.0s
16 => => naming to docker.io/library/hello-python:slim                                                                                                                    0.0s
17
18$> docker run --rm -it hello-python:slim
19Hello world!
20
21$> snyk container test hello-python:slim --file=Dockerfile.slim
22
23Testing hello-python:slim...
24...
25Package manager:   deb
26Target file:       Dockerfile.slim
27Project name:      docker-image|hello-python
28Docker image:      hello-python:slim
29Platform:          linux/arm64
30Base image:        python:slim
31Licenses:          enabled
32
33Tested 106 dependencies for known issues, found 48 issues.
34
35According to our scan, you are currently using the most secure version of the selected base image

Let us know what you think

We hope this Guide to Container Security for Development Teams is useful to you as you start to build your container image scanning practices. This guide is meant to show best practices, which we can’t do without continued input from our users!

So, if you have a great practice that you think we should cover, please reach out on the Snyk Community site and let us know.

Developer-first container security

Snyk finds and automatically fixes vulnerabilities in container images and Kubernetes workloads.

Book a live demoStart free

Posted in:Container Security
wordpress-sync/blog-feature-docker-labels

Level Up Your CI/CD Pipelines

See how these 8 tips can help you catch security issues in the pipe BEFORE you push to production ⭐️

See the cheatsheet
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon