container image security scanning

Container image security scanning directly from Docker Desktop, powered by Snyk

Jim Armstrong
September 15, 2020 | in Container Security, Partners
| By Jim Armstrong, Sarah Conway

We recently announced our exciting partnership with Docker, aimed at providing a Docker native experience for vulnerability detection and fixes, powered by Snyk. 

This collaboration will help developers by combining the most popular container runtime and repository with the industry’s first container vulnerability remediation tool built specifically for developers. Together, we’re providing a streamlined workflow that makes the container-based application development process more robust, allowing for more efficient and secure builds as an automated part of their workflow. 

We’re pleased to share that the first step toward this mutual goal is completed, and container image security scanning is now as simple as docker scan in Docker Desktop! The new feature is currently in the Docker Desktop Edge release on both Windows and MacOS (note: the integrated scanning is only available in the Edge channel for now)! This enables development teams to create and ship their container-based applications with confidence, without requiring an advanced background in security and operating system administration. 

Snyk security embedded in Docker Desktop

The integration between Snyk and Docker puts developer-focused security scanning directly in your Docker tooling. With it, you can now scan your container image immediately after build, straight from Docker Desktop, using a simple command:  

docker scan <image-name>

This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to Docker Hub or any other registry. 

The Snyk-powered vulnerability scans are a little different than what you might be used to seeing from other vulnerability scans. Aside from simply listing all the issues, Snyk also guides developers to action. By including the Dockerfile along with the image through the --file <path/to/Dockerfile> option, the results from docker scan include details on how to select a more recent and/or smaller base image with fewer vulnerabilities. In addition, the vulnerabilities displayed are mapped to the actual Dockerfile command that introduced them, plus all the relevant dependencies needed to track down an issue and take care of it. 

In the example below, we run a docker scan against an image and we added the Dockerfile to the scan. In the video, we’ve highlighted the base image recommendations and a specific vulnerability that shows how the Dockerfile information is displayed in the results:

container image security scanning

You might look at that output and think, “That’s way too much for me to deal with all at once! I’ll deal with the base image changes later, but for now just show me which lines in my Dockerfile are introducing vulnerabilities.” We can use the JSON output and some filtering to find that out! The example below scans the same image but the command this time is:

docker scan jimcodified/dockercon2020:alpha-blog.orig --file Dockerfile --exclude-base --json | jq '[.vulnerabilities[].dockerfileInstruction] | unique'

What we’ve done is filtered out all the base image vulnerabilities and created JSON output (--exclude-base --json) and then filtered the vulnerabilities by unique Dockerfile instructions and displayed the instruction. Of course, there’s much more you can do with filtering options, but that should get you started.

container image security scanning

Get deeper application analysis, security prioritization and continuous monitoring in the Snyk console

If you want to go beyond a single scan, signing up for a free Snyk account opens you up to additional features beyond just additional container image scan each month. With a Snyk account, you can scan your open source code dependencies for security and license issues, get improved visibility and reporting into vulnerabilities across teams and organizations, and you can check your Kubernetes deployment code and Helm charts for insecure configurations, too. In the Snyk application you can also monitor your images over time so that as new container vulnerabilities are discovered you will know if your images are at risk.  

container image security scanning

Join Our Sept. 24th Demo Session: Container image security scanning with Docker Desktop, powered by Snyk

container image security scanning

This is just the first phase of collaboration between Snyk and Docker. We’re continuing to work closely together to ensure that security becomes a seamless part of the developer’s toolset to help speed deployment. With future integration between Snyk and Docker products and services planned, developers can expect that our close collaboration will ensure continuous security fits naturally into their favorite container toolset and development workflow for greater agility and productivity when creating applications. 

Join us on Sept. 24th at 10 am PT for an interactive live session with a demo of docker scan <image> in Docker Desktop Edge! We’ll show you how to fix both a very simple image and a large image with more issues using Snyk. 

Stay secure!

Additional Resources: