Docker Security Scanning Guide 2022

Docker has an enormous worldwide user base, recently surpassing 10 million users and 242 billion image pulls and has changed the way applications are built. 

With the accelerated development velocity that containerization enables, additional security responsibilities are shifting to developers, who now need to maintain container images in addition to their code. That’s why a developer-friendly Snyk integration with Docker is invaluable in today’s security landscape.

Docker allows you to install all of the dependencies a service needs inside a container so you don’t have to worry about installing unwanted or different versions of the same package natively on your computer. This makes it easy to distribute the complete working environment of an application to others within or outside your team. 

You can easily upload or push your Docker images to Docker’s own DockerHub, which offers both free and paid accounts; or to third-party repositories such as Amazon Elastic Container Registry (ECR) or Google’s Container Registry (GCR).

But how do you tell a container what dependencies or tools to install inside a container? Dockerfile was designed for this specific purpose.

The integration between Snyk and Docker puts developer-focused container security scanning directly in your Docker tooling. With it, you can now scan your container image immediately after build, straight from Docker Desktop, using a simple command:  

docker scan <image-name>

This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to Docker Hub or other registries you may use. 

The Snyk-powered vulnerability scans are a little different than what you might be used to seeing from other vulnerability scans. Aside from simply listing all the issues, Snyk’s goal is to guide developers toward action:

• By including the Dockerfile along with the image through the --file <path/to/Dockerfile> option, the results from docker scan include details on how to select a more recent and/or smaller base image with fewer vulnerabilities. 
• In addition, vulnerabilities are mapped to the Dockerfile instruction that introduced them, along with the relevant dependencies needed to track down an issue and take care of it. 

If you’re using a container orchestration service like Kubernetes, while you might think that these security issues are already taken care of, this isn’t necessarily the case. Though Kubernetes has security policies on how to run pods (Pods are essentially containers.), it doesn’t offer much in terms of security for the code or services running inside these pods. Instead, this responsibility lies with the user. When configuring your Kubernetes cluster, which is also done using code, it is important to follow Kubernetes security best practices.

Types of Docker Security Scanning

Checking for known vulnerabilities against the packages listed in your Docker images through the aforementioned CVE database, is not always enough. Security vulnerabilities could be lurking in many different places. To this end, there are a range of security scanning tools and services available for Docker containers:

• Network configuration tools: These tools scan Docker image port and network configuration to identify and flag such issues. Examples include Cilium and Sysdig Falco.
• Identity & access management tools: Preventing your container from having complete access to all your resources is an important security measure. This involves assigning certain roles and responsibilities to Docker containers. There are tools to facilitate this and also enforce and monitor these roles. Notary is one such tool.
• User-defined policy tools: Some tools even allow you to define and enforce your own security policies in your containers. Grafeas is a popular tool in this category.
• Open-source tools: There are a number of available open-source vulnerability scanning tools. Open-source scanning tools are popular among developers since they often use other open-source tools, such as frameworks, operating systems, or IDEs. Security experts also prefer open-source, because they are easy to audit and provide better visibility. If you’re new to Docker container virtualization, you’ll also want to know which instruction in the Dockerfile is causing security issues in your container; and there are tools for that.
  Snyk is a great example of an open-source security scanning tool, you can sign up to use it for free.

While no security scanning tool can guarantee 100% security of any Docker image or container, this kind of Docker image security scanning tools can help you minimize the risk of vulnerability issues in your application and infrastructure. Moreover, some tools offer constant container monitoring and alerting, so you’re notified if and when such an issue is detected. And by following docker security best practices, you can minimize the risk of introducing security vulnerabilities.
Create and ship container-based applications with confidence. Secure your containerized applications with Snyk’s Docker vulnerability scanner.

Docker Security Scanning Cheatsheet

Docker has an enormous worldwide user base, recently surpassing 10 million users and 242 billion image pulls and has changed the way applications are built. 

With the accelerated development velocity that containerization enables, additional security responsibilities are shifting to developers, who now need to maintain container images in addition to their code. That’s why a developer-friendly Snyk integration with Docker is invaluable in today’s security landscape.

At SnykCon 2020, we announced the integration of Snyk-powered container scanning in the latest version of Docker Desktop. This followed our news that Snyk would become the security provider for Docker’s Official Images and that Snyk security scanning would be integrated directly into Docker Hub.

5 steps of container scanning with Docker Desktop

1. Make sure your version of Docker Desktop is up to date
2. Get logged in
3. Docker scan your first container image
4. Scan your image along with your Dockerfile
5. Filter your scan results

We’ve created a Docker Vulnerability Scanning CLI cheatsheet, to help you get started scanning your container images with Docker Desktop and Snyk, and below we have a few tips to get you started.

Step 1: make sure your version of Docker Desktop is up to date

Docker Desktop has included Snyk’s scanning capabilities for a few months now, but in case you haven’t updated in a while or you aren’t sure if you have the Snyk components, here’s how you can check.

Via the CLI	Docker Desktop “About”
The docker scan command will be available.	If you see the little Snyk icon and version info, you all set

$ docker scan --help
Usage: docker scan [OPTIONS] IMAGE A tool to scan your images

Step 2: get logged in!

To start scanning, you need to have a Docker ID and be logged in via Docker Desktop. You’ll get 10 free container images tests per month. But you can get 200 scans per month if you login to Snyk as well. The Snyk login is integrated with your Docker ID so even if you don’t currently have a login with Snyk, it’s simple to get going.

$ docker scan --login

If you want to authenticate with an API token instead, be sure to include the --token flag and your token as the flag argument. You can find your Snyk API token under Settings –> Service Accounts within the Snyk console.

Signing up for Snyk also unlocks additional open source security scanning features for your dependencies, configuration files, and more. See our recent talk about how Snyk integrates throughout the entire software development lifecycle (SDLC), including integrated developer environments (IDEs), source code management (SCM), continuous integration, and continuous development (CI/CD) platforms, and more.

Step 3: Docker scan your first container image

With the basic docker scan myapp:mytag command, you can scan a single Docker image for vulnerabilities. There are a number of additional flags you can include to produce more granular results, which are detailed below.

Step 4: Scan your image along with your Dockerfile

The --file path/to/Dockerfile option is one of the most generally useful options. By including the Dockerfile you can get base image upgrade recommendations for Docker Official base images, and the vulnerabilities will be mapped to the Dockerfile commands that introduced them. 

Step 5: filter your scan results

The --exclude-base flag, which must be used with the –file flag, will ignore any vulnerabilities that originate from the base image so you can focus on remediating issues within your own container image.

The --dependency-tree flag will include a package dependency tree along with the vulnerability scan results to make tracking down the source of issues even easier.

The --json flag allows you to control the scanning results output. With the jq tool, you can then parse and filter the JSON results based on the following keys:

• packageName: name of the top-level package
• severity: rating based on common vulnerability scoring system (CVSS)
• id: identifier within Snyk’s vulnerability database
• name: name of the vulnerability binary
• version: version installed in the container image 
• nearestFixedInVersion: minimum version required to remediate a vulnerability
• dockerfileInstruction: line where the vulnerable package was introduced in Dockerfile
• dockerBaseImage: parent image that was detected

The steps above will get you started with container security, but if you want a handy way to remember and want to see more examples, the Docker CLI cheatsheet is your best reference guide. The Docker container scanning CLI is a simple, yet powerful tool for detecting and remediating vulnerabilities early in the development process. This Docker-native solution can be run immediately after you build so that issues are resolved before the image is even pushed to Docker Hub. If you have questions or you’ve come up with a clever use case, we’d love to hear from you on the Snyk Community site.