DEV Community

Cover image for Vulnerability and Dependency Scanning with Docker Scout
Ivan Porta
Ivan Porta

Posted on • Edited on • Originally published at Medium

Vulnerability and Dependency Scanning with Docker Scout

As application designs become more intricate in today’s digital age, they often form a complex web of interconnected dependencies. This can result in a daunting dependency tree that can be challenging to monitor and maintain.

Take the Equifax data breach in September 2017 as an example. Equifax, one of the major credit reporting agencies in the US, suffered a data breach due to a vulnerability in the Apache Strut framework (CVE-2017–5638) dependency, which is widely used for developing web applications in Java. The mishandling of uploaded files enabled hackers to execute remote code, exposing the personal data of 147 million people.

In Docker, dependencies are commonly associated with the services or libraries needed for a containerized application to function properly. These dependencies are outlined in the Dockerfile during the image creation phase. For instance, take a Python application with the following requirements:

Flask==1.1.2
NumPy==1.19.2
pandas==1.1.3
SQLAlchemy==1.3.19
Enter fullscreen mode Exit fullscreen mode

Its Dockerfile will instruct the engine to install these requirements when a container run the image.

FROM ubuntu:20.04
RUN apt-get update && apt-get install -y python3.8 python3-pip
WORKDIR /app
COPY requirements.txt .
RUN pip3 install -r requirements.txt
COPY . .
CMD [ "python3", "./app.py" ]
Enter fullscreen mode Exit fullscreen mode

Despite their simplicity, such applications will also incorporate the following sub-dependencies, adding complexity and potential vulnerability points.

$ sudo docker scan gtrekter/training:1.0 --dependency-tree 
docker-image|training @ 1.0
   ├─ adduser @ 3.118ubuntu2
   │  └─ shadow/passwd @ 1:4.8.1-1ubuntu5.20.04.4
   │     ├─ libsemanage/libsemanage1 @ 3.0-1build2
   │     │  ├─ libsemanage/libsemanage-common @ 3.0-1build2
   │     │  └─ libsepol/libsepol1 @ 3.0-1ubuntu0.1
   │     ├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
   │     │  ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
   │     │  ├─ pam/libpam-modules-bin @ 1.3.1-5ubuntu4.6
   │     │  │  └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   │     │  └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   │     └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   ├─ apt @ 2.0.9
   │  ├─ adduser @ 3.118ubuntu2
   │  ├─ apt/libapt-pkg6.0 @ 2.0.9
   │  │  ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  ├─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
   │  │  ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   │  │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  │  └─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
   │  │  └─ systemd/libudev1 @ 245.4-4ubuntu3.21
   │  ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  ├─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
   │  │  └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
   │  │  ├─ libidn2/libidn2-0 @ 2.2.0-2
   │  │  │  └─ libunistring/libunistring2 @ 0.9.10-2
   │  │  ├─ libtasn1-6 @ 4.16.0-2
   │  │  ├─ libunistring/libunistring2 @ 0.9.10-2
   │  │  ├─ nettle/libhogweed5 @ 3.5.1+really3.5.1-2ubuntu0.2
   │  │  │  └─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
   │  │  ├─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
   │  │  └─ p11-kit/libp11-kit0 @ 0.23.20-1ubuntu0.1
   │  │     └─ libffi/libffi7 @ 3.3-4
   │  ├─ libseccomp/libseccomp2 @ 2.5.1-1ubuntu1~20.04.2
   │  ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   │  └─ ubuntu-keyring @ 2020.02.11.4
   ├─ apt/libapt-pkg6.0 @ 2.0.9
   ├─ attr/libattr1 @ 1:2.4.48-5
   ├─ base-files @ 11ubuntu5.7
   │  └─ mawk @ 1.3.4.20200120-2
   ├─ base-passwd @ 3.5.47
   │  └─ cdebconf/libdebconfclient0 @ 0.251ubuntu1
   ├─ bash @ 5.0-6ubuntu1.2
   │  ├─ base-files @ 11ubuntu5.7
   │  └─ debianutils @ 4.9.1
   ├─ binutils @ 2.34-6ubuntu1.5
   │  ├─ binutils/binutils-common @ 2.34-6ubuntu1.5
   │  ├─ binutils/binutils-x86-64-linux-gnu @ 2.34-6ubuntu1.5
   │  │  ├─ binutils/binutils-common @ 2.34-6ubuntu1.5
   │  │  ├─ binutils/libbinutils @ 2.34-6ubuntu1.5
   │  │  ├─ binutils/libctf-nobfd0 @ 2.34-6ubuntu1.5
   │  │  ├─ binutils/libctf0 @ 2.34-6ubuntu1.5
   │  │  │  └─ binutils/libbinutils @ 2.34-6ubuntu1.5
   │  │  └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  └─ binutils/libbinutils @ 2.34-6ubuntu1.5
   │     └─ binutils/binutils-common @ 2.34-6ubuntu1.5
   ├─ binutils/binutils-common @ 2.34-6ubuntu1.5
   ├─ binutils/binutils-x86-64-linux-gnu @ 2.34-6ubuntu1.5
   ├─ binutils/libbinutils @ 2.34-6ubuntu1.5
   ├─ binutils/libctf-nobfd0 @ 2.34-6ubuntu1.5
   ├─ binutils/libctf0 @ 2.34-6ubuntu1.5
   ├─ build-essential @ 12.8ubuntu1.1
   │  ├─ dpkg/dpkg-dev @ 1.19.7ubuntu3.2
   │  │  ├─ binutils @ 2.34-6ubuntu1.5
   │  │  ├─ bzip2 @ 1.0.8-2
   │  │  ├─ dpkg/libdpkg-perl @ 1.19.7ubuntu3.2
   │  │  ├─ make-dfsg/make @ 4.2.1-1.2
   │  │  ├─ patch @ 2.7.6-6
   │  │  └─ xz-utils @ 5.2.4-1ubuntu1.1
   │  ├─ gcc-defaults/g++ @ 4:9.3.0-1ubuntu2
   │  │  ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │  ├─ gcc-9/g++-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ gcc-9/libstdc++-9-dev @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │  ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │  ├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │  └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
   │  │  │  ├─ isl/libisl22 @ 0.22.1-1
   │  │  │  ├─ mpclib3/libmpc3 @ 1.1.0-1
   │  │  │  └─ mpfr4/libmpfr6 @ 4.0.2-1
   │  │  ├─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
   │  │  └─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
   │  ├─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
   │  │  ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ binutils @ 2.34-6ubuntu1.5
   │  │  │  ├─ gcc-10/libcc1-0 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  │  │  ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  │  │  ├─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │  ├─ gcc-10/libatomic1 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/libgomp1 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/libitm1 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/liblsan0 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/libquadmath0 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/libtsan0 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-10/libubsan1 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  │  └─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   │  │  │  │  ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │  └─ gcc-9/libasan5 @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  │     └─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │  │  ├─ isl/libisl22 @ 0.22.1-1
   │  │  │  ├─ mpclib3/libmpc3 @ 1.1.0-1
   │  │  │  └─ mpfr4/libmpfr6 @ 4.0.2-1
   │  │  └─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
   │  │     └─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
   │  │        ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   │  │        ├─ isl/libisl22 @ 0.22.1-1
   │  │        ├─ mpclib3/libmpc3 @ 1.1.0-1
   │  │        │  └─ mpfr4/libmpfr6 @ 4.0.2-1
   │  │        └─ mpfr4/libmpfr6 @ 4.0.2-1
   │  ├─ glibc/libc6-dev @ 2.31-0ubuntu9.9
   │  │  ├─ glibc/libc-dev-bin @ 2.31-0ubuntu9.9
   │  │  ├─ libxcrypt/libcrypt-dev @ 1:4.4.10-10ubuntu4
   │  │  └─ linux/linux-libc-dev @ 5.4.0-150.167
   │  └─ make-dfsg/make @ 4.2.1-1.2
   ├─ bzip2 @ 1.0.8-2
   ├─ cdebconf/libdebconfclient0 @ 0.251ubuntu1
   ├─ coreutils @ 8.30-3ubuntu2
   │  └─ attr/libattr1 @ 1:2.4.48-5
   ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-2ubuntu0.1
   ├─ cyrus-sasl2/libsasl2-modules @ 2.1.27+dfsg-2ubuntu0.1
   │  └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
   ├─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-2ubuntu0.1
   ├─ dash @ 0.5.10.2-6
   │  └─ debianutils @ 4.9.1
   ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
   ├─ debianutils @ 4.9.1
   ├─ diffutils @ 1:3.7-3
   ├─ dpkg/dpkg-dev @ 1.19.7ubuntu3.2
   ├─ dpkg/libdpkg-perl @ 1.19.7ubuntu3.2
   ├─ e2fsprogs @ 1.45.5-2ubuntu1.1
   │  ├─ e2fsprogs/libext2fs2 @ 1.45.5-2ubuntu1.1
   │  ├─ e2fsprogs/libss2 @ 1.45.5-2ubuntu1.1
   │  ├─ e2fsprogs/logsave @ 1.45.5-2ubuntu1.1
   │  ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   │  └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
   ├─ e2fsprogs/libext2fs2 @ 1.45.5-2ubuntu1.1
   ├─ e2fsprogs/libss2 @ 1.45.5-2ubuntu1.1
   ├─ e2fsprogs/logsave @ 1.45.5-2ubuntu1.1
   ├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
   │  ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
   │  └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
   ├─ fakeroot @ 1.24-1
   │  └─ fakeroot/libfakeroot @ 1.24-1
   ├─ fakeroot/libfakeroot @ 1.24-1
   ├─ file @ 1:5.38-4
   │  └─ file/libmagic1 @ 1:5.38-4
   │     └─ file/libmagic-mgc @ 1:5.38-4
   ├─ file/libmagic-mgc @ 1:5.38-4
   ├─ file/libmagic1 @ 1:5.38-4
   ├─ findutils @ 4.7.0-1ubuntu1
   ├─ gcc-10/libatomic1 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libcc1-0 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libgomp1 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libitm1 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/liblsan0 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libquadmath0 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libstdc++6 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libtsan0 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-10/libubsan1 @ 10.3.0-1ubuntu1~20.04
   ├─ gcc-9 @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/cpp-9 @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/g++-9 @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/gcc-9-base @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/libasan5 @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/libgcc-9-dev @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-9/libstdc++-9-dev @ 9.4.0-1ubuntu1~20.04.1
   ├─ gcc-defaults/cpp @ 4:9.3.0-1ubuntu2
   ├─ gcc-defaults/g++ @ 4:9.3.0-1ubuntu2
   ├─ gcc-defaults/gcc @ 4:9.3.0-1ubuntu2
   ├─ gdbm/libgdbm-compat4 @ 1.18.1-5
   ├─ gdbm/libgdbm6 @ 1.18.1-5
   ├─ glibc/libc-bin @ 2.31-0ubuntu9.9
   ├─ glibc/libc-dev-bin @ 2.31-0ubuntu9.9
   ├─ glibc/libc6-dev @ 2.31-0ubuntu9.9
   ├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
   │  ├─ adduser @ 3.118ubuntu2
   │  ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  └─ readline/libreadline8 @ 8.0-4
   │  ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
   │  ├─ init-system-helpers @ 1.57
   │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
   │  ├─ lsb/lsb-base @ 11.1.0ubuntu2
   │  ├─ npth/libnpth0 @ 1.6-1
   │  └─ openldap/libldap-2.4-2 @ 2.4.49+dfsg-2ubuntu1.9
   │     ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-2ubuntu0.1
   │     │  └─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-2ubuntu0.1
   │     │     └─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
   │     ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
   │     ├─ heimdal/libgssapi3-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  └─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  ├─ heimdal/libheimntlm0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  ├─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  ├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  ├─ heimdal/libhx509-5-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  │  ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  │  ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  │  ├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  │  └─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  ├─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  │  │  └─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
   │     │  │  └─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     │  └─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │     └─ openldap/libldap-common @ 2.4.49+dfsg-2ubuntu1.9
   ├─ gnupg2/gnupg @ 2.2.19-3ubuntu2.2
   │  ├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
   │  ├─ gnupg2/gnupg-l10n @ 2.2.19-3ubuntu2.2
   │  ├─ gnupg2/gnupg-utils @ 2.2.19-3ubuntu2.2
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
   │  │  └─ readline/libreadline8 @ 8.0-4
   │  ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  ├─ readline/libreadline8 @ 8.0-4
   │  │  └─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
   │  ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
   │  │  ├─ init-system-helpers @ 1.57
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  ├─ npth/libnpth0 @ 1.6-1
   │  │  └─ pinentry/pinentry-curses @ 1.1.0-3build1
   │  │     ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │     └─ ncurses/libncursesw6 @ 6.2-0ubuntu2
   │  ├─ gnupg2/gpg-wks-client @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/dirmngr @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  ├─ gnupg2/gpg-wks-server @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
   │  │  └─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  ├─ gnupg2/gpgsm @ 2.2.19-3ubuntu2.2
   │  │  ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
   │  │  ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   │  │  ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   │  │  ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
   │  │  └─ readline/libreadline8 @ 8.0-4
   │  └─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gnupg-l10n @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gnupg-utils @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpg @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpg-agent @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpg-wks-client @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpg-wks-server @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpgconf @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpgsm @ 2.2.19-3ubuntu2.2
   ├─ gnupg2/gpgv @ 2.2.19-3ubuntu2.2
   ├─ gnutls28/libgnutls30 @ 3.6.13-2ubuntu1.8
   ├─ grep @ 3.4-1
   │  └─ pcre3/libpcre3 @ 2:8.39-12ubuntu0.1
   ├─ gzip @ 1.10-0ubuntu4.1
   ├─ heimdal/libasn1-8-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libgssapi3-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libhcrypto4-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libheimbase1-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libheimntlm0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libhx509-5-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libkrb5-26-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ heimdal/libwind0-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   ├─ hostname @ 3.23
   ├─ init-system-helpers @ 1.57
   ├─ isl/libisl22 @ 0.22.1-1
   ├─ libalgorithm-diff-perl @ 1.19.03-2
   │  └─ perl @ 5.30.0-9ubuntu0.4
   │     ├─ perl/libperl5.30 @ 5.30.0-9ubuntu0.4
   │     │  ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
   │     │  ├─ gdbm/libgdbm-compat4 @ 1.18.1-5
   │     │  │  └─ gdbm/libgdbm6 @ 1.18.1-5
   │     │  ├─ gdbm/libgdbm6 @ 1.18.1-5
   │     │  └─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
   │     └─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
   ├─ libalgorithm-diff-xs-perl @ 0.04-6
   │  ├─ libalgorithm-diff-perl @ 1.19.03-2
   │  └─ perl @ 5.30.0-9ubuntu0.4
   ├─ libalgorithm-merge-perl @ 0.08-3
   │  ├─ libalgorithm-diff-perl @ 1.19.03-2
   │  └─ perl @ 5.30.0-9ubuntu0.4
   ├─ libassuan/libassuan0 @ 2.5.3-7ubuntu2
   ├─ libffi/libffi7 @ 3.3-4
   ├─ libfile-fcntllock-perl @ 0.22-3build4
   │  └─ perl @ 5.30.0-9ubuntu0.4
   ├─ libgcrypt20 @ 1.8.5-5ubuntu1.1
   ├─ libidn2/libidn2-0 @ 2.2.0-2
   ├─ libksba/libksba8 @ 1.3.5-2ubuntu0.20.04.2
   ├─ liblocale-gettext-perl @ 1.07-4
   ├─ libseccomp/libseccomp2 @ 2.5.1-1ubuntu1~20.04.2
   ├─ libsemanage/libsemanage-common @ 3.0-1build2
   ├─ libsemanage/libsemanage1 @ 3.0-1build2
   ├─ libsepol/libsepol1 @ 3.0-1ubuntu0.1
   ├─ libtasn1-6 @ 4.16.0-2
   ├─ libunistring/libunistring2 @ 0.9.10-2
   ├─ libxcrypt/libcrypt-dev @ 1:4.4.10-10ubuntu4
   ├─ linux/linux-libc-dev @ 5.4.0-150.167
   ├─ lsb/lsb-base @ 11.1.0ubuntu2
   ├─ lz4/liblz4-1 @ 1.9.2-2ubuntu0.20.04.1
   ├─ make-dfsg/make @ 4.2.1-1.2
   ├─ manpages @ 5.05-1
   ├─ manpages/manpages-dev @ 5.05-1
   │  └─ manpages @ 5.05-1
   ├─ mawk @ 1.3.4.20200120-2
   ├─ meta-common-packages @ meta
   │  ├─ acl/libacl1 @ 2.2.53-6
   │  ├─ audit/libaudit-common @ 1:2.8.5-2ubuntu6
   │  ├─ audit/libaudit1 @ 1:2.8.5-2ubuntu6
   │  ├─ bzip2/libbz2-1.0 @ 1.0.8-2
   │  ├─ debconf @ 1.5.73
   │  ├─ dpkg @ 1.19.7ubuntu3.2
   │  ├─ e2fsprogs/libcom-err2 @ 1.45.5-2ubuntu1.1
   │  ├─ gcc-10/gcc-10-base @ 10.3.0-1ubuntu1~20.04
   │  ├─ gcc-10/libgcc-s1 @ 10.3.0-1ubuntu1~20.04
   │  ├─ glibc/libc6 @ 2.31-0ubuntu9.9
   │  ├─ gmp/libgmp10 @ 2:6.2.0+dfsg-4ubuntu0.1
   │  ├─ heimdal/libroken18-heimdal @ 7.7.0+dfsg-1ubuntu1.4
   │  ├─ libcap-ng/libcap-ng0 @ 0.7.9-2.1build1
   │  ├─ libgpg-error/libgpg-error0 @ 1.37-1
   │  ├─ libselinux/libselinux1 @ 3.0-1build2
   │  ├─ libxcrypt/libcrypt1 @ 1:4.4.10-10ubuntu4
   │  ├─ libzstd/libzstd1 @ 1.4.4+dfsg-3ubuntu0.1
   │  ├─ ncurses/libtinfo6 @ 6.2-0ubuntu2
   │  ├─ pcre2/libpcre2-8-0 @ 10.34-7ubuntu0.1
   │  ├─ perl/perl-base @ 5.30.0-9ubuntu0.4
   │  ├─ tar @ 1.30+dfsg-7ubuntu0.20.04.3
   │  ├─ xz-utils/liblzma5 @ 5.2.4-1ubuntu1.1
   │  └─ zlib/zlib1g @ 1:1.2.11.dfsg-2ubuntu1.5
   ├─ mpclib3/libmpc3 @ 1.1.0-1
   ├─ mpfr4/libmpfr6 @ 4.0.2-1
   ├─ ncurses/libncurses6 @ 6.2-0ubuntu2
   ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
   ├─ ncurses/ncurses-base @ 6.2-0ubuntu2
   ├─ ncurses/ncurses-bin @ 6.2-0ubuntu2
   ├─ netbase @ 6.1
   ├─ nettle/libhogweed5 @ 3.5.1+really3.5.1-2ubuntu0.2
   ├─ nettle/libnettle7 @ 3.5.1+really3.5.1-2ubuntu0.2
   ├─ npth/libnpth0 @ 1.6-1
   ├─ openldap/libldap-2.4-2 @ 2.4.49+dfsg-2ubuntu1.9
   ├─ openldap/libldap-common @ 2.4.49+dfsg-2ubuntu1.9
   ├─ p11-kit/libp11-kit0 @ 0.23.20-1ubuntu0.1
   ├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
   ├─ pam/libpam-modules-bin @ 1.3.1-5ubuntu4.6
   ├─ pam/libpam-runtime @ 1.3.1-5ubuntu4.6
   │  └─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
   ├─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   ├─ patch @ 2.7.6-6
   ├─ pcre3/libpcre3 @ 2:8.39-12ubuntu0.1
   ├─ perl @ 5.30.0-9ubuntu0.4
   ├─ perl/libperl5.30 @ 5.30.0-9ubuntu0.4
   ├─ perl/perl-modules-5.30 @ 5.30.0-9ubuntu0.4
   ├─ pinentry/pinentry-curses @ 1.1.0-3build1
   ├─ procps @ 2:3.3.16-1ubuntu2.3
   │  ├─ init-system-helpers @ 1.57
   │  ├─ lsb/lsb-base @ 11.1.0ubuntu2
   │  ├─ ncurses/libncurses6 @ 6.2-0ubuntu2
   │  ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
   │  └─ procps/libprocps8 @ 2:3.3.16-1ubuntu2.3
   ├─ procps/libprocps8 @ 2:3.3.16-1ubuntu2.3
   │  └─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   ├─ python-pip/python3-pip @ 20.0.2-5ubuntu1.8
   │  ├─ ca-certificates @ 20230311ubuntu0.20.04.1
   │  │  └─ openssl @ 1.1.1f-1ubuntu2.19
   │  │     └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
   │  ├─ python-pip/python-pip-whl @ 20.0.2-5ubuntu1.8
   │  │  └─ ca-certificates @ 20230311ubuntu0.20.04.1
   │  ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
   │  │  └─ python3-stdlib-extensions/python3-lib2to3 @ 3.8.10-0ubuntu1~20.04
   │  ├─ setuptools/python3-setuptools @ 45.2.0-1ubuntu0.1
   │  │  ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
   │  │  └─ setuptools/python3-pkg-resources @ 45.2.0-1ubuntu0.1
   │  └─ wheel/python3-wheel @ 0.34.2-1ubuntu0.1
   ├─ python3-defaults/libpython3-dev @ 3.8.2-0ubuntu2
   │  └─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
   │     ├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
   │     ├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
   │     │  ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
   │     │  └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
   │     └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
   ├─ python3-defaults/libpython3-stdlib @ 3.8.2-0ubuntu2
   │  └─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
   ├─ python3-defaults/python3 @ 3.8.2-0ubuntu2
   │  ├─ python3-defaults/libpython3-stdlib @ 3.8.2-0ubuntu2
   │  ├─ python3-defaults/python3-minimal @ 3.8.2-0ubuntu2
   │  │  └─ python3.8/python3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
   │  └─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
   ├─ python3-defaults/python3-dev @ 3.8.2-0ubuntu2
   │  ├─ python3-defaults/libpython3-dev @ 3.8.2-0ubuntu2
   │  ├─ python3-defaults/python3 @ 3.8.2-0ubuntu2
   │  ├─ python3-stdlib-extensions/python3-distutils @ 3.8.10-0ubuntu1~20.04
   │  └─ python3.8/python3.8-dev @ 3.8.10-0ubuntu1~20.04.8
   │     ├─ expat/libexpat1-dev @ 2.2.9-1ubuntu0.6
   │     ├─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
   │     ├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
   │     ├─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
   │     └─ zlib/zlib1g-dev @ 1:1.2.11.dfsg-2ubuntu1.5
   │        └─ glibc/libc6-dev @ 2.31-0ubuntu9.9
   ├─ python3-defaults/python3-minimal @ 3.8.2-0ubuntu2
   ├─ python3.8 @ 3.8.10-0ubuntu1~20.04.8
   │  ├─ mime-support @ 3.64ubuntu1
   │  ├─ python3.8/libpython3.8-stdlib @ 3.8.10-0ubuntu1~20.04.8
   │  │  ├─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.6ubuntu2
   │  │  ├─ libffi/libffi7 @ 3.3-4
   │  │  ├─ mime-support @ 3.64ubuntu1
   │  │  ├─ mpdecimal/libmpdec2 @ 2.4.2-3
   │  │  ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
   │  │  ├─ python3.8/libpython3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
   │  │  ├─ readline/libreadline8 @ 8.0-4
   │  │  │  └─ readline/readline-common @ 8.0-4
   │  │  ├─ sqlite3/libsqlite3-0 @ 3.31.1-4ubuntu0.5
   │  │  └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
   │  └─ python3.8/python3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
   │     ├─ expat/libexpat1 @ 2.2.9-1ubuntu0.6
   │     └─ python3.8/libpython3.8-minimal @ 3.8.10-0ubuntu1~20.04.8
   │        └─ openssl/libssl1.1 @ 1.1.1f-1ubuntu2.19
   ├─ python3.8/libpython3.8 @ 3.8.10-0ubuntu1~20.04.8
   ├─ python3.8/libpython3.8-dev @ 3.8.10-0ubuntu1~20.04.8
   ├─ python3.8/python3.8-dev @ 3.8.10-0ubuntu1~20.04.8
   ├─ sed @ 4.7-1
   ├─ sensible-utils @ 0.0.12+nmu1
   ├─ shadow/login @ 1:4.8.1-1ubuntu5.20.04.4
   │  ├─ pam/libpam-modules @ 1.3.1-5ubuntu4.6
   │  ├─ pam/libpam-runtime @ 1.3.1-5ubuntu4.6
   │  └─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   ├─ shadow/passwd @ 1:4.8.1-1ubuntu5.20.04.4
   ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   ├─ systemd/libudev1 @ 245.4-4ubuntu3.21
   ├─ sysvinit/sysvinit-utils @ 2.96-2.1ubuntu1
   │  ├─ init-system-helpers @ 1.57
   │  ├─ lsb/lsb-base @ 11.1.0ubuntu2
   │  └─ util-linux @ 2.34-0.1ubuntu9.3
   ├─ ubuntu-keyring @ 2020.02.11.4
   ├─ util-linux @ 2.34-0.1ubuntu9.3
   ├─ util-linux/bsdutils @ 1:2.34-0.1ubuntu9.3
   │  └─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   ├─ util-linux/fdisk @ 2.34-0.1ubuntu9.3
   │  ├─ ncurses/libncursesw6 @ 6.2-0ubuntu2
   │  ├─ util-linux/libfdisk1 @ 2.34-0.1ubuntu9.3
   │  │  ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   │  │  └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
   │  ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
   │  │  └─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   │  └─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/libfdisk1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
   ├─ util-linux/mount @ 2.34-0.1ubuntu9.3
   │  ├─ util-linux @ 2.34-0.1ubuntu9.3
   │  │  ├─ pam/libpam0g @ 1.3.1-5ubuntu4.6
   │  │  ├─ shadow/login @ 1:4.8.1-1ubuntu5.20.04.4
   │  │  ├─ systemd/libsystemd0 @ 245.4-4ubuntu3.21
   │  │  ├─ systemd/libudev1 @ 245.4-4ubuntu3.21
   │  │  ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   │  │  ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
   │  │  ├─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
   │  │  └─ util-linux/libuuid1 @ 2.34-0.1ubuntu9.3
   │  ├─ util-linux/libblkid1 @ 2.34-0.1ubuntu9.3
   │  ├─ util-linux/libmount1 @ 2.34-0.1ubuntu9.3
   │  └─ util-linux/libsmartcols1 @ 2.34-0.1ubuntu9.3
   ├─ xz-utils @ 5.2.4-1ubuntu1.1
   └─ zlib/zlib1g-dev @ 1:1.2.11.dfsg-2ubuntu1.5
Enter fullscreen mode Exit fullscreen mode

Can you ensure that none of these dependencies will introduce vulnerabilities into your software?

Dependency and vulnerability scanning

Tools for dependency and vulnerability scanning have existed for quite some time, including open-source and premium options. For instance, GitHub’s Dependabot conducts regular vulnerability checks and suggests safer updates automatically. Similarly, WhiteSource identifies open-source vulnerabilities in real time and offers license compliance and governance tools. Docker, realizing the importance of such features, partnered with Snyk in late 2020 to enable Docker image vulnerability scanning via the docker scan command. However, this feature was retired in favor of the new Docker Scout.

Transitioning from Scanning to Scouting

Before diving into Docker’s latest offering, it’s worth revisiting the previously introduced feature to understand how it has evolved. The feature in question relies on Snyk, a cybersecurity firm based in Boston that has developed its security platform. Snyk’s vulnerability database is continually updated with data from various sources, including the National Vulnerability Database (NVD) and the company’s research.
Using this feature requires Docker’s consent to utilize Snyk. The first time you trigger the docker scan command, you will be asked to grant that consent.

$ docker scan
Docker Scan relies upon access to Snyk, a third party provider, do you consent to proceed using Snyk? (y/N)
Enter fullscreen mode Exit fullscreen mode

Once consent is given, Docker will download the Snyk image onto your machine, which is then executed during the Docker scan process.

gtrekter@vm-uks-01:~$ sudo docker image ls -a
REPOSITORY          TAG       IMAGE ID       CREATED        SIZE
gtrekter/training   1.0       76b54e901ebd   3 hours ago    585MB
nginx               <none>    f9c14fe76d50   2 weeks ago    143MB
snyk/snyk           <none>    4db3fcadc7e4   6 months ago   213MB
Enter fullscreen mode Exit fullscreen mode

However, because this image requires a Snyk API token stored in an environment variable called SNYK_TOKEN, you must log into Docker Hub first.

$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xxxxxxx
Password: 

Login Succeeded
Enter fullscreen mode Exit fullscreen mode

Afterward, you can initiate the scan, and Docker will execute a new container using the Snyk image, passing an environment variable called SNYK_DOCKER_TOKEN for Snyk’s use.

Image description

The output is the streamlined results provided by Snyk.

$ sudo docker scan gtrekter/training:1.0

Testing gtrekter/training:1.0...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: CVE-2023-26604
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-SYSTEMD-3339226
  Introduced through: systemd/libsystemd0@245.4-4ubuntu3.21, apt@2.0.9, procps/libprocps8@2:3.3.16-1ubuntu2.3, util-linux/bsdutils@1:2.34-0.1ubuntu9.3, util-linux/mount@2.34-0.1ubuntu9.3, systemd/libudev1@245.4-4ubuntu3.21
  From: systemd/libsystemd0@245.4-4ubuntu3.21
  From: apt@2.0.9 > systemd/libsystemd0@245.4-4ubuntu3.21
  From: procps/libprocps8@2:3.3.16-1ubuntu2.3 > systemd/libsystemd0@245.4-4ubuntu3.21
  and 6 more...
  Image layer: Introduced by your base image (ubuntu:20.04)

✗ Medium severity vulnerability found in gcc-defaults/cpp
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GCCDEFAULTS-584255
  Introduced through: gcc-defaults/cpp@4:9.3.0-1ubuntu2, build-essential@12.8ubuntu1.1, gcc-defaults/gcc@4:9.3.0-1ubuntu2, gcc-defaults/g++@4:9.3.0-1ubuntu2
  From: gcc-defaults/cpp@4:9.3.0-1ubuntu2
  From: build-essential@12.8ubuntu1.1 > gcc-defaults/g++@4:9.3.0-1ubuntu2 > gcc-defaults/cpp@4:9.3.0-1ubuntu2
  From: build-essential@12.8ubuntu1.1 > gcc-defaults/gcc@4:9.3.0-1ubuntu2 > gcc-defaults/cpp@4:9.3.0-1ubuntu2
  and 5 more...
  Image layer: Introduced by your base image (ubuntu:20.04)

✗ Medium severity vulnerability found in gcc-9
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2004-GCC9-584247
  Introduced through: gcc-9@9.4.0-1ubuntu1~20.04.1, build-essential@12.8ubuntu1.1, gcc-9/gcc-9-base@9.4.0-1ubuntu1~20.04.1, gcc-9/libgcc-9-dev@9.4.0-1ubuntu1~20.04.1, gcc-9/libstdc++-9-dev@9.4.0-1ubuntu1~20.04.1, gcc-9/g++-9@9.4.0-1ubuntu1~20.04.1, gcc-9/cpp-9@9.4.0-1ubuntu1~20.04.1, gcc-9/libasan5@9.4.0-1ubuntu1~20.04.1
  From: gcc-9@9.4.0-1ubuntu1~20.04.1
  From: build-essential@12.8ubuntu1.1 > gcc-defaults/g++@4:9.3.0-1ubuntu2 > gcc-9@9.4.0-1ubuntu1~20.04.1
  From: build-essential@12.8ubuntu1.1 > gcc-defaults/gcc@4:9.3.0-1ubuntu2 > gcc-9@9.4.0-1ubuntu1~20.04.1
  and 20 more...
  Image layer: Introduced by your base image (ubuntu:20.04)

Package manager:   deb
Project name:      docker-image|gtrekter/training
Docker image:      gtrekter/training:1.0
Platform:          linux/amd64
Base image:        ubuntu:20.04

Tested 206 dependencies for known vulnerabilities, found 3 vulnerabilities.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVc
Enter fullscreen mode Exit fullscreen mode

However, a significant drawback was tied to the licensing. The collaboration with Snyk limited the feature to just 100 scans per month, unless the user had a premium account. This limitation likely contributed to Docker’s decision to create its own proprietary Vulnerability Database, leading to the introduction of Docker Scout in version 4.17.0 (released on February 27, 2023), and the subsequent retirement of the Docker scan feature.

Docker Scout

Unlike its predecessor, docker scout doesn’t use third-party software and won’t request consent or pull additional images.

Image description

At the time of this writing, Docker Scout it’s still in early access, and to be able to use it, we will need to install its plugin by executing these instructions:

$ curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
$ sh install-scout.sh
Enter fullscreen mode Exit fullscreen mode

If we inspect the shell script, we will see that it will download a zip file according to the OS and architecture from the docker official GitHub repository.

PROJECT_NAME="docker-scout"
OWNER=docker
REPO="scout-cli"
GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${REPO}
....
version=$(tag_to_version "${tag}")
os=$(uname_os)
arch=$(uname_arch)
format=$(get_format_name "${os}" "${arch}" "tar.gz")
binary=$(get_binary_name "${os}" "${arch}" "${BINARY}")
download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}"
...
download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"
Enter fullscreen mode Exit fullscreen mode

Once we have installed the plugin, we can run the command CVEs to scan and output all vulnerabilities in the image.

gtrekter@vm-uks-01:~$ docker scout cves gtrekter/training:1.0
    ✓ Pulled
    ✓ SBOM of image already cached, 276 packages indexed
    ✗ Detected 9 vulnerable packages with a total of 10 vulnerabilities

   0C     1H     0M     0L  wheel 0.34.2
pkg:pypi/wheel@0.34.2

    ✗ HIGH CVE-2022-40898
      https://dso.docker.com/cve/CVE-2022-40898
      Affected range : <=0.37.1                                      
      Fixed version  : 0.38.1                                        
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

   0C     1H     0M     0L  flask 1.1.2
pkg:pypi/flask@1.1.2

    ✗ HIGH CVE-2023-30861 [Use of Persistent Cookies Containing Sensitive Information]
      https://dso.docker.com/cve/CVE-2023-30861
      Affected range : <2.2.5                                        
      Fixed version  : 2.2.5                                         
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

   0C     0H     1M     0L  setuptools 45.2.0
pkg:pypi/setuptools@45.2.0

    ✗ MEDIUM CVE-2022-40897
      https://dso.docker.com/cve/CVE-2022-40897
      Affected range : <65.5.1                                       
      Fixed version  : 65.5.1                                        
      CVSS Score     : 5.9                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

   0C     0H     1M     0L  pip 20.0.2
pkg:pypi/pip@20.0.2

    ✗ MEDIUM CVE-2021-3572
      https://dso.docker.com/cve/CVE-2021-3572
      Affected range : <21.1                                         
      Fixed version  : 21.1                                          
      CVSS Score     : 5.7                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

   0C     0H     1M     0L  python3.8 3.8.10-0ubuntu1~20.04.8
pkg:deb/ubuntu/python3.8@3.8.10-0ubuntu1~20.04.8?os_distro=focal&os_name=ubuntu&os_version=20.04

    ✗ MEDIUM CVE-2023-27043 [Improper Input Validation]
      https://dso.docker.com/cve/CVE-2023-27043
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 5.3                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

   0C     0H     1M     0L  numpy 1.19.2
pkg:pypi/numpy@1.19.2

    ✗ MEDIUM CVE-2021-34141 [Incorrect Comparison]
      https://dso.docker.com/cve/CVE-2021-34141
      Affected range : <1.22                                         
      Fixed version  : 1.22                                          
      CVSS Score     : 5.3                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

   0C     0H     0M     2L  shadow 1:4.8.1-1ubuntu5.20.04.4
pkg:deb/ubuntu/shadow@1:4.8.1-1ubuntu5.20.04.4?os_distro=focal&os_name=ubuntu&os_version=20.04

    ✗ LOW CVE-2013-4235 [Time-of-check Time-of-use (TOCTOU) Race Condition]
      https://dso.docker.com/cve/CVE-2013-4235
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 4.7                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N  

    ✗ LOW CVE-2023-29383 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
      https://dso.docker.com/cve/CVE-2023-29383
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 3.3                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

   0C     0H     0M     1L  pcre3 2:8.39-12ubuntu0.1
pkg:deb/ubuntu/pcre3@2:8.39-12ubuntu0.1?os_distro=focal&os_name=ubuntu&os_version=20.04

    ✗ LOW CVE-2017-11164 [Uncontrolled Recursion]
      https://dso.docker.com/cve/CVE-2017-11164
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

   0C     0H     0M     1L  glibc 2.31-0ubuntu9.9
pkg:deb/ubuntu/glibc@2.31-0ubuntu9.9?os_distro=focal&os_name=ubuntu&os_version=20.04

    ✗ LOW CVE-2016-20013 [Allocation of Resources Without Limits or Throttling]
      https://dso.docker.com/cve/CVE-2016-20013
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


10 vulnerabilities found in 9 packages
  LOW       4 
  MEDIUM    4 
  HIGH      2   
  CRITICAL  0   

What's Next?
  Know more about base image update recommendations → docker scout recommendations gtrekter/training:1.0
Enter fullscreen mode Exit fullscreen mode

In this case, the output, instead of prompting a link to the Snyk Vulnerability Database, will redirect us to the Docker Image Vulnerability Database, which will contain the following:

  • References to the National Vulnerability Database (NVD).
  • A description of the vulnerability.
  • A list of packages containing the vulnerability and links to possible exploits.
  • A list of possible remediations

Image description

Default integration with Docker Hub

By moving the feature internally and not relying on third-party software, Docker was able to develop a strong integration with Docker Hub. By activating Advanced image analysis for a specific repository, you can make Docker Scout automatically analyze the image when you push to that repository. To enable Advanced image analysis, we have to:

  • Browse and log into Docker Hub.
  • Click Repositories and select the repository you want to allow the Advanced image analysis.
  • Click Setting and select Advanced image analysis provided by Docker Scout.

Image description

  • Click Save.

From this moment, every time we push an image to this repository, Docker Scout will analyze the image and publish the results in a readable on Docker Hub. The results will be associated with the tag that triggered the scan, and an overview will be visible on the Tags page.

Image description

To see the details of each vulnerability, we can click either the tag’s name or any image details (digest, OS, vulnerability overview, last pull, or compressed size). This link will redirect us to the image details, listing all the vulnerabilities and allowing us to easily see the relationships between vulnerabilities and layers.

Image description

Wrapping Up

Docker Scout provides a unified view of the software supply chain, significantly enhancing visibility and control over security. With its unique ability to break down dependencies layer-by-layer, it not only identifies potential vulnerabilities but also recommends remediations. This integrated approach streamlines the process of maintaining security in the intricate web of dependencies within containerized applications.

Moreover, the future looks even more promising. After a quick chat with the Docker product designer, it has been revealed that Docker Scout will soon allow organizations to create custom policies to evaluate artifacts in your SDLC against your own set of standards. This forthcoming feature promises to add another layer of personalization and security, further strengthening Docker Scout’s position as a crucial tool in software supply chain management.

References

Top comments (0)