Back in October 2020, Docker launched image scanning functionality powered by Snyk. Shortly after that, in November this function made it to the Docker Desktop versions as well. So what is this all about?

Log4Shell bomb

Following the recent exploit inside Log4J 2.14 or older versions, many in IT have started to quickly patch up their apps and platforms using this older version. Same if with Docker images.

One of the biggest concerns with Docker images is are they safe? There is a lot of official images being maintained by companies that make and maintain the software that is packed inside those images, but what of all the rest? What about an image that is pushed out by someone who is not a verified publisher?

Knowing what is inside the image and if there are any potential vulnerabilities is crucial for the security of your own infrastructure hosting any app or platform via a particular Docker image.

Now, with Snyk we all have the option to use 10 free monthly scans or up to 200 if we are logged in using a free Snyk account for your local Docker images.

🗒️
NOTE: using Docker Hub vulnerability scanning is a paid option and works with Pro, Team, or Business subscription.

So how does this image scanning work?

Just like antivirus scans your device and finds out the threats, in the same way, it scans your source code and provides vulnerabilities. It further provides the severity of the vulnerability and classifies them as major, minor or critical which might help you in giving an idea of the urgency of an issue and approach to take suitable action. Taking it a step further, it also provides a description of the vulnerability, the position in code where the vulnerability is present and provides a fix to that vulnerability.

With Docker engine 2.5 version and Docker 20.10, we were introduced to docker scan command.

‼️
Versions of docker scan earlier than v0.11.0 are not able to detect Log4j 2 CVE-2021-44228. You must update your Docker Desktop installation to 4.3.1 or higher to fix this issue.

As I have mentioned before, at the moment one of the biggest threats is Log4J exploit, so if you want to run your local Docker image scans, here is how to do them.

First, you will need Docker Desktop for Windows or macOS (you can install it in Linux as well using apt-get install docker-scan-plugin ) version 4.3.1 or higher.

⚠️
Synology Docker version 20.10.x currently has no docker scan support

Once you have it installed, simply download an image, or scan your existing image by running a simple command:

docker scan <name-of-image>

An example of output would be like this:

$  docker scan hello-world

Testing hello-world...

Organization:      docker-desktop-test
Package manager:   linux
Project name:      docker-image|hello-world
Docker image:      hello-world
Licenses:          enabled

✓ Tested 0 dependencies for known issues, no vulnerable paths found.

Note that we do not currently have vulnerability data for your image.

Another great addition to this is that you can get a scan of an image using its Dockerfile.

docker scan --file PATH_TO_DOCKERFILE DOCKER_IMAGE

$ docker scan --file Dockerfile docker-scan:e2e

✗ High severity vulnerability found in perl
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802
  Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta
  From: git@1:2.20.1-2+deb10u3 > [email protected]
  From: git@1:2.20.1-2+deb10u3 > [email protected] > [email protected]
  From: git@1:2.20.1-2+deb10u3 > [email protected] > perl/[email protected]
  and 3 more...
  Introduced by your base image (golang:1.14.6)

Organization:      docker-desktop-test
Package manager:   deb
Target file:       Dockerfile
Project name:      docker-image|99138c65ebc7
Docker image:      99138c65ebc7
Base image:        golang:1.14.6
Licenses:          enabled

Tested 200 dependencies for known issues, found 157 issues.

According to our scan, you are currently using the most secure version of the selected base image

Among several flags that you can use with the scan command, probably the most interesting one will be severity .

With this flag, the scan  command allows you to choose the level of vulnerabilities displayed in your output.

$ docker scan --severity=medium docker-scan:e2e
./bin/docker-scan_darwin_amd64 scan --severity=medium docker-scan:e2e

Testing docker-scan:e2e...

✗ Medium severity vulnerability found in sqlite3/libsqlite3-0
  Description: Divide By Zero
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337
  Introduced through: gnupg2/[email protected]+deb10u1, [email protected]+deb10u1, [email protected]+deb10u1
  From: gnupg2/[email protected]+deb10u1 > gnupg2/[email protected]+deb10u1 > sqlite3/[email protected]
  From: [email protected]+deb10u1 > subversion/[email protected]+deb10u1 > sqlite3/[email protected]
  From: [email protected]+deb10u1 > python-defaults/[email protected] > [email protected]+deb10u1 > python2.7/[email protected]+deb10u1 > sqlite3/[email protected]
  
  
✗ Medium severity vulnerability found in sqlite3/libsqlite3-0
  Description: Uncontrolled Recursion
...
✗ High severity vulnerability found in binutils/binutils-common
  Description: Missing Release of Resource after Effective Lifetime
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318
  Introduced through: gcc-defaults/g++@4:8.3.0-1
  From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > [email protected] > [email protected] > binutils/[email protected]
  From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > [email protected] > [email protected] > binutils/[email protected] > binutils/[email protected]
  From: gcc-defaults/g++@4:8.3.0-1 > gcc-defaults/gcc@4:8.3.0-1 > [email protected] > [email protected] > binutils/[email protected] > binutils/[email protected]
    and 4 more...

Organization:      docker-desktop-test
Package manager:   deb
Project name:      docker-image|docker-scan
Docker image:      docker-scan:e2e
Platform:          linux/amd64
Licenses:          enabled

Tested 200 dependencies for known issues, found 37 issues.

As seen from these examples, you can detect any potential threats, problems, or vulnerabilities that might be part of any layer inside an image. This is an excellent way to test images you are about to use or publish yourself to any public repositories.

One final issue if you are coming from the Windows side of things, and using WSL2 (Windows subsystem for Linux in favor of legacy Hyper-V support) for your Docker Desktop.

⚠️
The Vulnerability scanning feature doesn’t work with Alpine distributions.

So, if you use any image that has an Alpine image as a base you are out of luck. Just one thing to have in mind.

Now we just need to wait (hopefully not too long) for Synology to publish its version of Docker that has this command built-in, and we are off to the races.