Skip to content

Replace docker scan with docker scout for Security Scanning #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Replace docker scan with docker scout for Security Scanning #462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed docs/tutorial/image-building-best-practices/hvs.png
View file
Open in desktop
Binary file not shown.
62 changes: 36 additions & 26 deletions docs/tutorial/image-building-best-practices/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,45 +1,55 @@
## Security Scanning

When you have built an image, it is good practice to scan it for security vulnerabilities using the `docker scan` command.
Docker has partnered with [Snyk](http://snyk.io) to provide the vulnerability scanning service.
When you have built an image, it is good practice to scan it for security vulnerabilities. Docker Scout provides a powerful set of tools for analyzing your images and identifying potential issues.

For example, to scan the `getting-started` image you created earlier in the tutorial, you can just type
For example, to get a summary of vulnerabilities and recommendations for the getting-started image you created earlier in the tutorial, you can just type

```bash
docker scan getting-started
docker scout quickview getting-started
```

The scan uses a constantly updated database of vulnerabilities, so the output you see will vary as new
vulnerabilities are discovered, but it might look something like this:
The command gives you a concise overview of the vulnerabilities in the specified image and vulnerabilities from the base image. It also displays base image refresh and update recommendations if available.

The scan uses a constantly updated database of vulnerabilities, so the output you see will vary as new vulnerabilities are discovered, but it should look something like this:

```plaintext
✗ Low severity vulnerability found in freetype/freetype
Description: CVE-2020-15999
Info: https://snyk.io/vuln/SNYK-ALPINE310-FREETYPE-1019641
Introduced through: freetype/[email protected], gd/[email protected]
From: freetype/[email protected]
From: gd/[email protected] > freetype/[email protected]
Fixed in: 2.10.0-r1

✗ Medium severity vulnerability found in libxml2/libxml2
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE310-LIBXML2-674791
Introduced through: libxml2/[email protected], libxslt/[email protected], nginx-module-xslt/[email protected]
From: libxml2/[email protected]
From: libxslt/[email protected] > libxml2/[email protected]
From: nginx-module-xslt/[email protected] > libxml2/[email protected]
Fixed in: 2.9.9-r4
Target │ getting-started:latest │ 3C 14H 6M 7L
digest │ d084f60d83ad │
Base image │ node:18-alpine │ 0C 1H 0M 1L
Updated base image │ node:20-alpine │ 0C 1H 0M 1L
```

To get a detailed insights into vulnerabilities and recommendations, you can use the docker scout cves command:

```bash
docker scout cves getting-started
```

The output lists the type of vulnerability, a URL to learn more, and importantly which version of the relevant library
fixes the vulnerability.
This will display a detailed list of vulnerabilites in the image, including the type of vulnerability, its severity, a URL to learn more, and importantly which version of the relevant library fixes the vulnerability. The output will look something like this (only the first vulnerability is shown here for brevity):

```plaintext
...

## Packages and Vulnerabilities

2C 1H 2M 0L mysql2 2.3.3
pkg:npm/[email protected]

✗ CRITICAL CVE-2024-21511 [Improper Control of Generation of Code ('Code Injection')]
https://scout.docker.com/v/CVE-2024-21511
Affected range : <3.9.7
Fixed version : 3.9.7
CVSS Score : 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```

There are several other options, which you can read about in the [docker scan documentation](https://docs.docker.com/engine/scan/).
There are many more tools available in Docker Scout to help you analyze your images, which you can read about in the
[Docker Scout documentation](https://docs.docker.com/scout/).

As well as scanning your newly built image on the command line, you can also [configure Docker Hub](https://docs.docker.com/docker-hub/vulnerability-scanning/)
to scan all newly pushed images automatically, and you can then see the results in both Docker Hub and Docker Desktop.

![Hub vulnerability scanning](hvs.png){: style=width:75% }
![Hub vulnerability scanning](scout.png){: style=width:75% }
{: .text-center }

## Image Layering
Expand Down
Binary file added docs/tutorial/image-building-best-practices/scout.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.