DEV Community

Cover image for Vulnerability scanning for Docker images
Madhu Kumar for Docker

Posted on

Vulnerability scanning for Docker images

In my previous blog Automate docker security audits with docker bench for security, we learned about how to automate Docker Security Audits with Docker Bench for Security.

But, remember that Docker Bench isn’t an exhaustive test. There are other aspects to maintaining Docker security that shouldn’t be overlooked either.

A compromised container could give attackers a foothold into your systems, even if you have strong host-level security. You can reduce this risk by using Docker Bench, alongside active container vulnerability scanners like Docker scan (snyk), Grype, Trivy and Clair. These will help you identify problems within your containers, such as outdated dependencies that could be exploited.

Vulnerability scanning for Docker local images using 'docker scan'

Image description

Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.

macpro$ docker scan --accept-license --version
Version:    v0.16.0
Git commit: e135637
Provider:   Snyk (1.809.0)

macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12

Testing postgres:12...

✗ Low severity vulnerability found in tar
  Description: CVE-2005-2541
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.34+dfsg-1

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in apt/libapt-pkg6.0
  Description: Improper Verification of Cryptographic Signature
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
  Introduced through: postgresql-12@12.9-1.pgdg110+1
  From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
  From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4

✗ High severity vulnerability found in perl/perl-base
  Description: Improper Verification of Cryptographic Signature
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
  Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
  From: perl/libperl5.32@5.32.1-4+deb11u2
  From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
  and 4 more.

✗ High severity vulnerability found in libgcrypt20
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
  Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
  From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
  From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
  and 9 more.

✗ Critical severity vulnerability found in glibc/libc-bin
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
  Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
  From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
  From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
  From: glibc/locales@2.31-13+deb11u2
  and 2 more.


Package manager:   deb
Project name:      docker-image|postgres
Docker image:      postgres:12
Platform:          linux/amd64
Base image:        postgres:12.9-bullseye

Tested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
Enter fullscreen mode Exit fullscreen mode

You get below free scans per month:
Local vulnerability scans: 10 scans

Local vulnerability scans with Snyk: 200 scans

For more information refer to https://docs.docker.com/engine/scan
https://www.docker.com/pricing

A vulnerability scanner for container images and filesystems using Grype

Image description

Grype is a vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Installation

Recommended

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...or, you can specify a release version and destination directory for the installation:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
Enter fullscreen mode Exit fullscreen mode

Homebrew

brew tap anchore/grype
brew install grype
Enter fullscreen mode Exit fullscreen mode

Note: Currently, Grype is built only for macOS and Linux.

macpro$ grype k8s.gcr.io/kube-scheduler:v1.22.5 --scope all-layers
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [3 packages]
 ✔ Scanned image           [0 vulnerabilities]

No vulnerabilities found


macpro$ grype postgres:12 --scope all-layers
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [718 packages]
 ✔ Scanned image           [550 vulnerabilities]

NAME                            INSTALLED         FIXED-IN     VULNERABILITY        SEVERITY
apt                             2.2.4                          CVE-2011-3374        Negligible
coreutils                       8.32-4+b1         (won't fix)  CVE-2016-2781        Low
coreutils                       8.32-4+b1                      CVE-2017-18018       Negligible
github.com/opencontainers/runc  v1.0.1            1.0.3        GHSA-v95c-p5hm-xq8f  Medium
libapt-pkg6.0                   2.2.4                          CVE-2011-3374        Negligible
libc-bin                        2.31-13+deb11u2                CVE-2021-43396       Negligible
libc-bin                        2.31-13+deb11u2                CVE-2021-3998        Unknown
libc-bin                        2.31-13+deb11u2                CVE-2021-3999        Unknown
libc-bin                        2.31-13+deb11u2   (won't fix)  CVE-2022-23218       Unknown
libc-bin                        2.31-13+deb11u2   (won't fix)  CVE-2022-23219       Unknown
libc-bin                        2.31-13+deb11u2                CVE-2010-4756        Negligible
libc-bin                        2.31-13+deb11u2                CVE-2018-20796       Negligible
libc-bin                        2.31-13+deb11u2                CVE-2019-1010022     Negligible
libc-bin                        2.31-13+deb11u2                CVE-2019-1010023     Negligible
libc-bin                        2.31-13+deb11u2                CVE-2019-1010024     Negligible
libc-bin                        2.31-13+deb11u2                CVE-2019-1010025     Negligible
libc-bin                        2.31-13+deb11u2                CVE-2019-9192        Negligible
libc-bin                        2.31-13+deb11u2   (won't fix)  CVE-2021-33574       Critical
libc-l10n                       2.31-13+deb11u2                CVE-2021-43396       Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2021-3998        Unknown
libc-l10n                       2.31-13+deb11u2                CVE-2021-3999        Unknown
libc-l10n                       2.31-13+deb11u2   (won't fix)  CVE-2022-23218       Unknown
libc-l10n                       2.31-13+deb11u2   (won't fix)  CVE-2022-23219       Unknown
libc-l10n                       2.31-13+deb11u2                CVE-2010-4756        Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2018-20796       Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2019-1010022     Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2019-1010023     Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2019-1010024     Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2019-1010025     Negligible
libc-l10n                       2.31-13+deb11u2                CVE-2019-9192        Negligible
libc-l10n                       2.31-13+deb11u2   (won't fix)  CVE-2021-33574       Critical
libc6                           2.31-13+deb11u2                CVE-2021-43396       Negligible
libc6                           2.31-13+deb11u2                CVE-2021-3998        Unknown
libc6                           2.31-13+deb11u2                CVE-2021-3999        Unknown
libc6                           2.31-13+deb11u2   (won't fix)  CVE-2022-23218       Unknown
libc6                           2.31-13+deb11u2   (won't fix)  CVE-2022-23219       Unknown
libc6                           2.31-13+deb11u2                CVE-2010-4756        Negligible
libc6                           2.31-13+deb11u2                CVE-2018-20796       Negligible
libc6                           2.31-13+deb11u2                CVE-2019-1010022     Negligible
libc6                           2.31-13+deb11u2                CVE-2019-1010023     Negligible
libc6                           2.31-13+deb11u2                CVE-2019-1010024     Negligible
libc6                           2.31-13+deb11u2                CVE-2019-1010025     Negligible
libc6                           2.31-13+deb11u2                CVE-2019-9192        Negligible
libc6                           2.31-13+deb11u2   (won't fix)  CVE-2021-33574       Critical
libgcrypt20                     1.8.7-6           (won't fix)  CVE-2021-33560       High
libgcrypt20                     1.8.7-6                        CVE-2018-6829        Negligible
libgnutls30                     3.7.1-5                        CVE-2011-3389        Medium
libgssapi-krb5-2                1.18.3-6+deb11u1               CVE-2004-0971        Negligible
libgssapi-krb5-2                1.18.3-6+deb11u1               CVE-2018-5709        Negligible
libk5crypto3                    1.18.3-6+deb11u1               CVE-2004-0971        Negligible
libk5crypto3                    1.18.3-6+deb11u1               CVE-2018-5709        Negligible
libkrb5-3                       1.18.3-6+deb11u1               CVE-2004-0971        Negligible
libkrb5-3                       1.18.3-6+deb11u1               CVE-2018-5709        Negligible
libkrb5support0                 1.18.3-6+deb11u1               CVE-2004-0971        Negligible
libkrb5support0                 1.18.3-6+deb11u1               CVE-2018-5709        Negligible
libldap-2.4-2                   2.4.57+dfsg-3                  CVE-2015-3276        Negligible
libldap-2.4-2                   2.4.57+dfsg-3                  CVE-2017-14159       Negligible
libldap-2.4-2                   2.4.57+dfsg-3                  CVE-2017-17740       Negligible
libldap-2.4-2                   2.4.57+dfsg-3                  CVE-2020-15719       Negligible
libncursesw6                    6.2+20201114-2                 CVE-2021-39537       Negligible
libpcre3                        2:8.39-13                      CVE-2017-11164       Negligible
libpcre3                        2:8.39-13                      CVE-2017-16231       Negligible
libpcre3                        2:8.39-13                      CVE-2017-7245        Negligible
libpcre3                        2:8.39-13                      CVE-2017-7246        Negligible
libpcre3                        2:8.39-13                      CVE-2019-20838       Negligible
libperl5.32                     5.32.1-4+deb11u2               CVE-2011-4116        Negligible
libperl5.32                     5.32.1-4+deb11u2  (won't fix)  CVE-2020-16156       High
libsepol1                       3.1-1             (won't fix)  CVE-2021-36084       Low
libsepol1                       3.1-1             (won't fix)  CVE-2021-36085       Low
libsepol1                       3.1-1             (won't fix)  CVE-2021-36086       Low
libsepol1                       3.1-1             (won't fix)  CVE-2021-36087       Low
libsqlite3-0                    3.34.1-3                       CVE-2021-36690       Negligible
libssl1.1                       1.1.1k-1+deb11u1               CVE-2007-6755        Negligible
libssl1.1                       1.1.1k-1+deb11u1               CVE-2010-0928        Negligible
libsystemd0                     247.3-6                        CVE-2013-4392        Negligible
libsystemd0                     247.3-6                        CVE-2020-13529       Negligible
libsystemd0                     247.3-6           (won't fix)  CVE-2021-3997        Unknown
libtinfo6                       6.2+20201114-2                 CVE-2021-39537       Negligible
libudev1                        247.3-6                        CVE-2013-4392        Negligible
libudev1                        247.3-6                        CVE-2020-13529       Negligible
libudev1                        247.3-6           (won't fix)  CVE-2021-3997        Unknown
libxslt1.1                      1.1.34-4                       CVE-2015-9019        Negligible
locales                         2.31-13+deb11u2                CVE-2021-43396       Negligible
locales                         2.31-13+deb11u2                CVE-2021-3998        Unknown
locales                         2.31-13+deb11u2                CVE-2021-3999        Unknown
locales                         2.31-13+deb11u2   (won't fix)  CVE-2022-23218       Unknown
locales                         2.31-13+deb11u2   (won't fix)  CVE-2022-23219       Unknown
locales                         2.31-13+deb11u2                CVE-2010-4756        Negligible
locales                         2.31-13+deb11u2                CVE-2018-20796       Negligible
locales                         2.31-13+deb11u2                CVE-2019-1010022     Negligible
locales                         2.31-13+deb11u2                CVE-2019-1010023     Negligible
locales                         2.31-13+deb11u2                CVE-2019-1010024     Negligible
locales                         2.31-13+deb11u2                CVE-2019-1010025     Negligible
locales                         2.31-13+deb11u2                CVE-2019-9192        Negligible
locales                         2.31-13+deb11u2   (won't fix)  CVE-2021-33574       Critical
login                           1:4.8.1-1                      CVE-2007-5686        Negligible
login                           1:4.8.1-1                      CVE-2013-4235        Negligible
login                           1:4.8.1-1                      CVE-2019-19882       Negligible
ncurses-base                    6.2+20201114-2                 CVE-2021-39537       Negligible
ncurses-bin                     6.2+20201114-2                 CVE-2021-39537       Negligible
openssl                         1.1.1k-1+deb11u1               CVE-2007-6755        Negligible
openssl                         1.1.1k-1+deb11u1               CVE-2010-0928        Negligible
passwd                          1:4.8.1-1                      CVE-2007-5686        Negligible
passwd                          1:4.8.1-1                      CVE-2013-4235        Negligible
passwd                          1:4.8.1-1                      CVE-2019-19882       Negligible
perl                            5.32.1-4+deb11u2               CVE-2011-4116        Negligible
perl                            5.32.1-4+deb11u2  (won't fix)  CVE-2020-16156       High
perl-base                       5.32.1-4+deb11u2               CVE-2011-4116        Negligible
perl-base                       5.32.1-4+deb11u2  (won't fix)  CVE-2020-16156       High
perl-modules-5.32               5.32.1-4+deb11u2               CVE-2011-4116        Negligible
perl-modules-5.32               5.32.1-4+deb11u2  (won't fix)  CVE-2020-16156       High
tar                             1.34+dfsg-1                    CVE-2005-2541        Negligible
Enter fullscreen mode Exit fullscreen mode

Conclusion

Hardening a Docker image involves scanning it for vulnerabilities, building a new image with additional mitigating protections, then using that version as the base for your application. You need to scan and rebuild your images regularly to make sure they include latest packages and patches. It’s a best practice to incorporate hardening into your image build pipeline.

Remember that container security best practices don’t just include the delivered applications and container images themselves. You also need to include the full component stack used for building, distributing, and specifically executing the container.

One of the key points of cloud-native security is addressing container security risks as soon as possible. Doing it later in the development life cycle slows down the pace of cloud adoption, while raising security and compliance risks.

Discussion (0)