Docker Security Scanning Guide 2022
timelapse
13 min read
Docker has an enormous worldwide user base, recently surpassing 10 million users and 242 billion image pulls and has changed the way applications are built.
With the accelerated development velocity that containerization enables, additional security responsibilities are shifting to developers, who now need to maintain container images in addition to their code. That’s why a developer-friendly Snyk integration with Docker is invaluable in today’s security landscape.
What Is Docker?
Docker is a set of platform-as-a-service (Paas) products used to run applications and services within their own dedicated sandboxes, called containers, which are run using OS-level virtualization.
Docker allows you to install all of the dependencies a service needs inside a container so you don’t have to worry about installing unwanted or different versions of the same package natively on your computer. This makes it easy to distribute the complete working environment of an application to others within or outside your team.
You can easily upload or push your Docker images to Docker’s own DockerHub, which offers both free and paid accounts; or to third-party repositories such as Amazon Elastic Container Registry (ECR) or Google’s Container Registry (GCR).
But how do you tell a container what dependencies or tools to install inside a container? Dockerfile was designed for this specific purpose.
What Is a Dockerfile?
A Dockerfile is used to tell Docker how to prepare a container. Once you’ve written all the instructions in Dockerfile, you can then “build” an image from that Dockerfile. In order to share your images, you can either simply share the Dockerfile blueprint, which will allow anybody to build the image; or, you can share the images directly. The advantage here is that once you’ve shared your image, there’s no need to rebuild them.
What Is Docker Security Scanning?
Docker image security scanning is a process of identifying known security vulnerabilities in the packages listed in your Docker image. This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to Docker Hub or any other registry.
Get started with docker security scanning
Sign up to easily find and fix vulnerabilities in containers and Kubernetes applications for Free
The integration between Snyk and Docker puts developer-focused container security scanning directly in your Docker tooling. With it, you can now scan your container image immediately after build, straight from Docker Desktop, using a simple command:
docker scan <image-name>
This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to Docker Hub or other registries you may use.
The Snyk-powered vulnerability scans are a little different than what you might be used to seeing from other vulnerability scans. Aside from simply listing all the issues, Snyk’s goal is to guide developers toward action:
- By including the Dockerfile along with the image through the
--file <path/to/Dockerfile>
option, the results fromdocker scan
include details on how to select a more recent and/or smaller base image with fewer vulnerabilities. - In addition, vulnerabilities are mapped to the Dockerfile instruction that introduced them, along with the relevant dependencies needed to track down an issue and take care of it.
Why is Docker Security Scanning Important?
Docker security scanning is important because it is the primary way to find and fix vulnerabilities in container images before pushing the image to Docker Hub or other registries you may use.
If you’re using a container orchestration service like Kubernetes, while you might think that these security issues are already taken care of, this isn’t necessarily the case. Though Kubernetes has security policies on how to run pods (Pods are essentially containers.), it doesn’t offer much in terms of security for the code or services running inside these pods. Instead, this responsibility lies with the user. When configuring your Kubernetes cluster, which is also done using code, it is important to follow Kubernetes security best practices.
Types of Docker Security Scanning
Checking for known vulnerabilities against the packages listed in your Docker images through the aforementioned CVE database, is not always enough. Security vulnerabilities could be lurking in many different places. To this end, there are a range of security scanning tools and services available for Docker containers:
- Network configuration tools: These tools scan Docker image port and network configuration to identify and flag such issues. Examples include Cilium and Sysdig Falco.
- Identity & access management tools: Preventing your container from having complete access to all your resources is an important security measure. This involves assigning certain roles and responsibilities to Docker containers. There are tools to facilitate this and also enforce and monitor these roles. Notary is one such tool.
- User-defined policy tools: Some tools even allow you to define and enforce your own security policies in your containers. Grafeas is a popular tool in this category.
- Open-source tools: There are a number of available open-source vulnerability scanning tools. Open-source scanning tools are popular among developers since they often use other open-source tools, such as frameworks, operating systems, or IDEs. Security experts also prefer open-source, because they are easy to audit and provide better visibility. If you’re new to Docker container virtualization, you’ll also want to know which instruction in the Dockerfile is causing security issues in your container; and there are tools for that.
Snyk is a great example of an open-source security scanning tool, you can sign up to use it for free.
Check your containers for vulnerabilities
Find vulnerabilities in containers and Kubernetes workloads throughout the SDLC
While no security scanning tool can guarantee 100% security of any Docker image or container, this kind of Docker image security scanning tools can help you minimize the risk of vulnerability issues in your application and infrastructure. Moreover, some tools offer constant container monitoring and alerting, so you’re notified if and when such an issue is detected. And by following docker security best practices, you can minimize the risk of introducing security vulnerabilities.
Create and ship container-based applications with confidence. Secure your containerized applications with Snyk’s Docker vulnerability scanner.
Docker Security Scanning Cheatsheet
Docker has an enormous worldwide user base, recently surpassing 10 million users and 242 billion image pulls and has changed the way applications are built.
With the accelerated development velocity that containerization enables, additional security responsibilities are shifting to developers, who now need to maintain container images in addition to their code. That’s why a developer-friendly Snyk integration with Docker is invaluable in today’s security landscape.
At SnykCon 2020, we announced the integration of Snyk-powered container scanning in the latest version of Docker Desktop. This followed our news that Snyk would become the security provider for Docker’s Official Images and that Snyk security scanning would be integrated directly into Docker Hub.
5 steps of container scanning with Docker Desktop
- Make sure your version of Docker Desktop is up to date
- Get logged in
- Docker scan your first container image
- Scan your image along with your Dockerfile
- Filter your scan results
We’ve created a Docker Vulnerability Scanning CLI cheatsheet, to help you get started scanning your container images with Docker Desktop and Snyk, and below we have a few tips to get you started.

Scan your container images
Empowers developers to easily find and fix vulnerabilities in containers and Kubernetes applications
Step 1: make sure your version of Docker Desktop is up to date
Docker Desktop has included Snyk’s scanning capabilities for a few months now, but in case you haven’t updated in a while or you aren’t sure if you have the Snyk components, here’s how you can check.
Via the CLI | Docker Desktop “About” |
The docker scan command will be available. | If you see the little Snyk icon and version info, you all set |
$ docker scan --help
Usage: docker scan [OPTIONS] IMAGE A tool to scan your images

Step 2: get logged in!
To start scanning, you need to have a Docker ID and be logged in via Docker Desktop. You’ll get 10 free container images tests per month. But you can get 200 scans per month if you login to Snyk as well. The Snyk login is integrated with your Docker ID so even if you don’t currently have a login with Snyk, it’s simple to get going.
$ docker scan --login
If you want to authenticate with an API token instead, be sure to include the --token
flag and your token as the flag argument. You can find your Snyk API token under Settings –> Service Accounts within the Snyk console.
Signing up for Snyk also unlocks additional open source security scanning features for your dependencies, configuration files, and more. See our recent talk about how Snyk integrates throughout the entire software development lifecycle (SDLC), including integrated developer environments (IDEs), source code management (SCM), continuous integration, and continuous development (CI/CD) platforms, and more.
Step 3: Docker scan your first container image
With the basic docker scan myapp:mytag
command, you can scan a single Docker image for vulnerabilities. There are a number of additional flags you can include to produce more granular results, which are detailed below.
Step 4: Scan your image along with your Dockerfile
The --file path/to/Dockerfile
option is one of the most generally useful options. By including the Dockerfile you can get base image upgrade recommendations for Docker Official base images, and the vulnerabilities will be mapped to the Dockerfile commands that introduced them.
Step 5: filter your scan results
The --exclude-base
flag, which must be used with the –file flag, will ignore any vulnerabilities that originate from the base image so you can focus on remediating issues within your own container image.
The --dependency-tree
flag will include a package dependency tree along with the vulnerability scan results to make tracking down the source of issues even easier.
The --json
flag allows you to control the scanning results output. With the jq tool, you can then parse and filter the JSON results based on the following keys:
packageName
: name of the top-level packageseverity
: rating based on common vulnerability scoring system (CVSS)id
: identifier within Snyk’s vulnerability databasename
: name of the vulnerability binaryversion
: version installed in the container imagenearestFixedInVersion
: minimum version required to remediate a vulnerabilitydockerfileInstruction
: line where the vulnerable package was introduced in DockerfiledockerBaseImage
: parent image that was detected
Integrate security into your SDLC
Empower developers with the right tools to build software securely
The steps above will get you started with container security, but if you want a handy way to remember and want to see more examples, the Docker CLI cheatsheet is your best reference guide. The Docker container scanning CLI is a simple, yet powerful tool for detecting and remediating vulnerabilities early in the development process. This Docker-native solution can be run immediately after you build so that issues are resolved before the image is even pushed to Docker Hub. If you have questions or you’ve come up with a clever use case, we’d love to hear from you on the Snyk Community site.
Everything You Need to Know About Container Scanning
Containerized deployments are growing in popularity – and for good reason. Containers enable developers to move more quickly and to reliably deploy applications by transforming them into self-contained and portable units of code. However, the adoption of container-based software means the responsibility for container security is shifting to developers as well. Container scanning is an...
Keep reading