A repository containing an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image. The application consists of a basic ExpressJS server and uses an intentionally old version of Express and Alpine base image.
- Installing Docker Scout
- Enabling Docker Scout
- Analyze image vulnerabilities
- Fix application vulnerabilities
- Integrating with GitHub Action
- Install the latest version of Scout CLI
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh
If you're using Docker Desktop, you can enable background SBOM indexing as shown:
git clone https://github.com/dockersamples/scout-demo-service
cd scout-demo-service
docker build -t scout-demo:v1 .
docker run scout-demo:v1Access the app:
curl localhost:3000
Hello World!
If you're using Docker Desktop, you should be able to see vulnerabilities right now on your Docker dashboard.
There are 2 major vulnerabilties reported - the first one is related to OpenSSL package and other one is with Express 4.17.3. It says that Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. That means we need to update our Express v4.17.3 to 4.19.2
Updated - 10 Aug: The OpenSSL vulnerability has already been fixed. Only Express-specific vulnerabilities are medium severity.
Alternatively, you can see the list of vulnerabilities locally using your terminal.
docker scout cves scout-demo:v1
The fix suggested by Docker Scout is to update the underlying vulnerable express version to 4.17.3 or later.
Update the package.json file with the new package version.
…
"dependencies": {
"express": "4.19.2"
…
}
docker build -t scout-demo:v2 .
You will find that express vulnerabilities are now fixed.
You will see that the OpenSSL vulnerability is still there. To fix this, open up your Dockerfile and add openssl as shown below:
RUN apk add --no-cache \
nodejs \
openssl
Try re-building the Docker image with v3.0 this time:
docker build -t scout-demo:v3 .
This time, you will find all the vulnerabilities are fixed.
docker push <org-name>/scout-demo:v1
Alternatively, you can use Docker Dashboard directly to to push your Docker image to the Docker Hub.
You can enable Docker image analysis right on your Docker Hub repositories - either through CLI or directly using Docker Hub Dashboard.
Docker Scout analyzes all local images by default. To analyze images in remote repositories, you need to enable it first. You can do this from Docker Hub, the Docker Scout Dashboard, and CLI. Find out how in the overview guide.
Use the Docker CLI docker scout repo enable command to enable analysis on an existing repository with the following command:
docker scout repo enable <org-name>/scout-demo
For Example:
docker scout repo enable <org-name>/scout-demo
✓ Enabled Docker Scout on <org-name>/lamp-for-collabnix
✓ Enabled Docker Scout on <org-name>/ol7-webdeliverer
✓ Enabled Docker Scout on <org-name>/puppet-for-docker
✓ Enabled Docker Scout on <org-name>/puppet4docker
✓ Enabled Docker Scout on <org-name>/scout-demo
Click on the tag version to see the list of vulnerabilities:
You can see the similar kind of result as you see locally on your Docker Desktop.
After building, you can use Docker Desktop or the docker scout CLI command to see vulnerabilities detected by Docker Scout.
Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those.
docker scout cves <org-name>/scout-demo:v1
Now you can follow the above instructions to fix it directly on Docker Desktop.
Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the Advisory Database sources document.
Clone this repo to your own account. Go to settings > Secrets and Variables > Actions and add DOCKER_PAT and DOCKER_USER.
Just modify the Docker Hub registry credentials and add the following secrets under GitHub:
- DOCKER_USER: The username for the Docker registry.
- DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.
Ensure that you have the following entries in your workflow modified:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
Run the GitHub Action job and you will see the following output once the job gets completed.
