{"id":259746,"date":"2021-05-26T21:00:54","date_gmt":"2021-05-26T18:00:54","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/"},"modified":"2021-05-26T21:00:54","modified_gmt":"2021-05-26T18:00:54","slug":"how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/","title":{"rendered":"#How to Use Docker Scan to Find Vulnerabilities in Your Images \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3dbdd73c8a2\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3dbdd73c8a2\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#How_Scans_Work\" >How Scans Work<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#Scanning_an_Image\" >Scanning an Image<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#More_Advanced_Scans\" >More Advanced Scans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#Customizing_Scan_Output\" >Customizing Scan Output<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#Limitations\" >Limitations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Use Docker Scan to Find Vulnerabilities in Your Images \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-9034\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/01\/6dc7b5a0.jpeg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1602\" height=\"902\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Docker now ships with built-in security scanning support. You can locally scan your container images to identify possible vulnerabilities. This accelerates the development cycle by providing more im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te feedback compared to CI pipelines and cloud services.<\/p>\n<p>The <code>scan<\/code> command is available by default in Docker version 20.10. Docker is partnered with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/snyk.io\">Snyk<\/a> to bring security scans to its CLI. A one-time consent prompt will <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ear the first time that you run the command. Type \u201cy\u201d and press enter to confirm the Snyk integration.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11182\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/f59b4457.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"936\" height=\"131\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>In addition to consenting to Snyk, container scanning also requires a Docker Hub login. Run <code>docker login<\/code> to supply your username and password before you start scanning.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11181\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/96dd7594.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"624\" height=\"165\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Try running <code>docker scan --version<\/code> to check your installation. You\u2019ll see the version number of the <code>scan<\/code> plugin. The output also names the security scanning provider that\u00a0<code>scan<\/code> will use (currently Snyk). Additional providers could be added in the future.<\/p>\n<h2 id=\"how-scans-work\"><span class=\"ez-toc-section\" id=\"How_Scans_Work\"><\/span>How Scans Work<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/engine\/scan\"><code>docker scan<\/code> accepts<\/a> an image name as a parameter. It will scan the image against the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/snyk.io\/product\/container-vulnerability-management\">Snyk database<\/a> of container vulnerabilities. A wide range of issues is covered, ranging from outdated base images to exploits against open-source software libraries that you\u2019re using.<\/p>\n<p>Snyk can show you the <code>Dockerfile<\/code> line that introduces a vulnerability. This gives you an immediate starting point as you resolve each issue. The results will show up right in your terminal after the scan completes.<\/p>\n<p>The Snyk database is continually updated with new vulnerabilities. Don\u2019t assume that an image that passes a scan once will always get the same result in the future. It\u2019s a good practice to regularly scan images so that your workloads stay secure.<\/p>\n<h2 id=\"scanning-an-image\"><span class=\"ez-toc-section\" id=\"Scanning_an_Image\"><\/span>Scanning an Image<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The simplest way to scan an image is to pass a tag to <code>docker scan<\/code>:<\/p>\n<pre>docker scan hello-world:latest<\/pre>\n<p>The scan might take a few seconds to complete. Larger images will need more time. The results will be shown in your terminal once they\u2019re available. Example output from a successful scan is shown above.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11180\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/e84a0bf6.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"964\" height=\"543\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>While getting the all-clear might be comforting, the <code>docker scan<\/code> output is much more interesting when vulnerabilities are detected. Here\u2019s a scan that found some issues.<\/p>\n<p>Each issue has a brief description, an indication of its severity, and a link to get more information on the Snyk website.<\/p>\n<h2 id=\"more-advanced-scans\"><span class=\"ez-toc-section\" id=\"More_Advanced_Scans\"><\/span>More Advanced Scans<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><code>docker scan<\/code> has much more functionality than the basic example above. You can customize the scan\u2019s behavior using several flags.<\/p>\n<p>Arguably, the most useful flag is <code>--file<\/code>. This takes the path to the image\u2019s <code>Dockerfile<\/code>. When you provide Snyk with a Dockerfile, it can perform a more detailed analysis based on its contents. Some scanning features, such as outdated base image detection, are only available when you supply your image\u2019s <code>Dockerfile<\/code>.<\/p>\n<pre>docker scan hello-world:latest --file Dockerfile<\/pre>\n<p>This will produce output similar to the following:<\/p>\n<pre>Tested 100 dependencies for known issues, found 50 issues.&#13;\n&#13;\nAccording to our scan, you are currently using the most secure version of the selected base image.<\/pre>\n<p>The last line will indicate whether your base image\u2014the <code>FROM<\/code> instruction in your <code>Dockerfile<\/code>\u2014is secure. Alternative tag suggestions will be displayed if the image is outdated or contains vulnerabilities that have since been resolved.<\/p>\n<p>Sometimes, you might want to run a scan that ignores vulnerabilities in your base image. Pass the <code>--exclude-base<\/code> flag to achieve this. This is helpful if the base image contains many low-severity issues and there is no upgrade path available. Excluding the noise helps you focus on the resolvable problems within your image layers.<\/p>\n<h2 id=\"customising-scan-output\"><span class=\"ez-toc-section\" id=\"Customizing_Scan_Output\"><\/span>Customizing Scan Output<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><code>docker scan<\/code> accepts a few different formatting options. So far, we\u2019ve seen the default output. It presents issues as a human-readable list within your terminal.<\/p>\n<p>Passing the <code>--json<\/code> flag instructs the command to emit the raw JSON it receives. This is ideal when you\u2019re using <code>docker scan<\/code> programmatically in CI scripts or third-party tools. You can process the JSON yourself to extract just the information that you need.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11178\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/73ee9ce8.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"880\" height=\"514\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Another option is <code>--dependency-tree<\/code>. This will emit a tree view of your image\u2019s dependencies above the list of vulnerabilities. This can help you visualize how different packages are getting pulled in, letting you pinpoint where issues arise.<\/p>\n<p>Finally, you can use the <code>--severity<\/code> flag to filter out unwanted vulnerabilities. Use <code>low<\/code>, <code>medium<\/code>, or <code>high<\/code> to indicate the severity that you\u2019re interested in. The command will only report vulnerabilities rated at or above the given level.<\/p>\n<h2 id=\"limitations\"><span class=\"ez-toc-section\" id=\"Limitations\"><\/span>Limitations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><code>docker scan<\/code> currently <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/engine\/scan\/#known-issues\">lacks support<\/a> for Alpine Linux distributions. In addition, plugin version 0.7 has a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/docker\/scan-cli-plugin\/issues\/151\">serious bug<\/a> that causes local scans to fail with an \u201cimage not found\u201d error. v0.7 can only scan images that exist in Docker Hub and other public registries. The issue <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/docker\/scan-cli-plugin\/releases\/tag\/v0.8.0\">has been fixed<\/a> in v0.8, but v0.7 remains the version that\u2019s broadly distributed with Docker releases on Linux.<\/p>\n<p>Beyond technical issues, the Snyk service imposes stringent rate limits on your use of <code>docker scan<\/code>. You can perform 10 scans for free each month. If you log in with Snyk, that increases to 200 scans per month.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11179\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/ae49da4a.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"749\" height=\"432\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Run <code>docker scan --login<\/code> to get your unique login URL. Copy it into your browser and follow the prompts to authenticate yourself. You can log in using Docker Hub or several third-party providers. Once you\u2019re logged in, an \u201cAuthenticate\u201d button will appear. Click this to return to your terminal. You should see a \u201cSnyk is now ready to be used\u201d message.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker\u2019s built-in image scanning makes container vulnerabilities easier to discover and resolve. Any developer with access to the Docker CLI and a container image can now scan for vulnerabilities without having to push to a registry.<\/p>\n<p>Regular scans help you guard your containers against potential threats. Outdated base images and vulnerabilities in dependencies significantly impact your security posture but can easily go unnoticed. <code>docker scan<\/code> gives you greater confidence in your containers by revealing issues that you\u2019d have otherwise overlooked.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11176\/how-to-use-docker-scan-to-find-vulnerabilities-in-your-images\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Use Docker Scan to Find Vulnerabilities in Your Images \u2013 CloudSavvy IT&#8221; Docker now ships with built-in security scanning support. You can locally scan your container images to identify possible vulnerabilities. This accelerates the development cycle by providing more immediate feedback compared to CI pipelines and cloud services. The scan command is available&#8230;<\/p>\n","protected":false},"author":1,"featured_media":259747,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/01\/6dc7b5a0.jpeg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-259746","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/259746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=259746"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/259746\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/259747"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=259746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=259746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=259746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}