Willing to know about docker image vulnerability scanning tools? We can help you.

At Bobcares, we offer solutions for every query, big and small, as a part of our Docker Hosting Support.

Let’s take a look at how our Support Team is ready to help customers with Docker query.

Docker image vulnerability scanning tools

There are many open-source code tools for Docker vulnerability scanning.

Today, let us discuss about the tools listed by our Support techs.

Docker Bench for Security

First and foremost, this security tool is based on CIS Docker Benchmarks for all automated scans.

Scans can perform with a docker image or a shell script.

Scan results include vulnerabilities related to the host configuration, docker daemon configuration and files.

By using this tool, you will check if you have applied best practices on your docker images and you will be able to get action-related warnings.

The coding below shows how to install all related packages and Docker Bench for Security on Ubuntu 20.04:

$ sudo apt-get install git -y
$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security

After you run your docker images locally, you can run your tests with:

$ sudo sh docker-bench-security.sh

Dive

Secondly, dive is not exactly a vulnerability scanning tool, but it helps to discover layers and permissions of the docker images.

Also, it estimates image efficiency. It shows basic layer info and an experimental metric that will guess how much wasted space your image contains.

To install Dive environment on Ubuntu 20.04:

$ wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb
$ sudo apt install ./dive_0.9.2_linux_amd64.deb

After installation, you can run Dive with:

$ dive docker <docker_name>

Inspec

Next, InSpec is an open-source testing framework for Docker images.

You could verify the state of your Docker images against a security or compliance baseline.

There are lots of checkpoints for your images such as Linux baseline, CIS Docker Benchmark, etc.

You can access them from here. To install Inspec environment on Ubuntu 20.04:

$ apt-get -y install ruby ruby-dev gcc g++ make
$ gem install inspec

After installation, you can run Inspec with:

$ inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

Scan on Push: AWS ECR

Next, Amazon ECR is a service that manages container registries for storing, managing, and deploying container images.

If you’re managing your user docker images with AWS ECR, you can scan your images that help to improve the security of your application’s container images.

Additionally, you can enable the “scans on push” feature for your repositories to ensure every image automatically goes through a vulnerability scanning.

AWS ECR uses CVE databases for findings. To enable scan on push feature:

$ aws ecr create-repository --repository-name <addyourreponame>
--image-scanning-configuration scanOnPush=true

After pushing your docker images to the cloud, you could see your scan results on the AWS console in detail.

After you get results, you can fix vulnerabilities with security updates.

Trivy

Finally, Trivy is an open-source vulnerability scanner for your docker images announced by Aqua Security.

In addition to docker images, Trivy can scan your filesystems and git repositories for you.

It can detect vulnerabilities in minutes and be suitable for CI & CD processes. Trivy can install in many Linux distributions easily.

It lists vulnerabilities and related libraries with detailed information such as installed library version on the docker, the fixed version that should  installed, severity level, etc.

To install all related packages and Docker Bench for Security on Ubuntu 20.04:

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

After installation, you can run Trivy with:

$trivy image [YOUR_IMAGE_NAME]

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our skilled Support Engineers at Bobcares listed Docker image vulnerability scanning tools.