docker-scout

Securing Docker Images with Docker Scout: A Practical Guide¶

Gulcan Topcu

Feb 1, 2024

10 min read

🏷️Tagged with:

container

Ensuring the security of Docker images is vital for maintaining the overall security posture of your organization. Docker Scout, a security tool developed by Docker, excels in scanning Docker images for potential vulnerabilities and provides valuable recommendations to enhance image security. In this blog post, we will guide you through the process of leveraging Docker Scout to scan and secure Docker images. Join me as we learn to scan, identify, and address vulnerabilities in container images, effectively minimizing risks in production environments while aligning with cloud-native security practices.

Introducing Vulnerable Python Image¶

If you’ve been following our articles on Kuberada, you’re likely aware that we’ve built three custom images for our voting app, stored on Dockerhub and Gitlab repositories. With a security-focused mindset, our goal is to assess whether these images are affected by critical CVE vulnerabilities.

Vulnerable Python Image

Before delving into the assessment, let’s briefly understand what CVE entails.

What is CVE?

CVE (Common Vulnerabilities and Exposures) is a standardized system designed for uniquely identifying and naming vulnerabilities in software and hardware systems. Maintained by the MITRE Corporation, CVE provides a common language for organizations and security practitioners to discuss, share, and exchange information about security vulnerabilities.

Analyzing Python Frontend Application for Vulnerabilities¶

To begin, open Docker Desktop and navigate to the images section. Docker Scout is already enabled on Windows Docker Desktop.

Docker Scout Enabled

As a quick reminder, we created our images using the following commands:

docker buildx create --name mybuilder --use --bootstrap
DOCKER_IMAGE_NAME=registry.gitlab.com/colossus06/cka-ckad-study-group-2024/frontend_python
docker buildx build --load --platform linux/amd64 -t $DOCKER_IMAGE_NAME:fixed .

Let’s inspect the packages added to each layer of our image and identify any software package affected by critical vulnerabilities.

Layered Image Inspection

While there are no critical vulnerabilities, we notice two high vulnerabilities stemming from the same CVE, CVE-2022-40897. Docker Scout recommends upgrading the setuptools version to 65.5.1 to address this issue. Let’s proceed with the upgrade.

CVE-2022-40897

First, detect the current vulnerable package version:

pip list | grep setup

Current Vulnerable Version

Now, let’s upgrade the package:

pip install setuptools --upgrade
pip freeze > requirements.txt
echo "setuptools==$(pip show setuptools | grep Version | cut -d ' ' -f 2)" >> requirements.txt

Setuptools Upgrade

Rebuild the image:

docker buildx build --load --platform linux/amd64 -t $DOCKER_IMAGE_NAME:fixed .

Rebuilt Image

Verifying the Fix for CVE-2022-40897¶

Inspect the layers of the latest image:

Latest Image Layers

Latest Image Layers

Getting Recommendations to Harden the Base Image¶

While we’ve addressed specific vulnerabilities, there are still medium vulnerabilities originating from the base image. Docker Scout’s recommendation engine can help rectify this.

Navigate to recommended fixes in the top right corner.

Recommended Fixes

Recommended Fixes

Applying the Recommendations¶

To eliminate 26 vulnerabilities and save 28 MB of space, we need to change the base image. Replace FROM python:3.9-slim AS base with FROM python:alpine in the Dockerfile and adjust the package manager.

FROM python:alpine AS base
RUN apk add --update curl && \
    rm -rf /var/cache/apk/*

Rebuild the image:

docker buildx build --load --platform linux/amd64 -t $DOCKER_IMAGE_NAME:base-hardened .

Base Image Upgrade

Finally, inspect the latest image using Docker Scout:

Inspect Latest Image

Inspect Latest Image

Tagging and Pushing Images to Dockerhub¶

Tag the first image before fixing critical vulnerabilities and the latest push.

DOCKER_NEW_IMAGE_NAME=elkakimmie/docker-scout
docker tag $DOCKER_IMAGE_NAME:latest $DOCKER_NEW_IMAGE_NAME:vuln
docker tag $DOCKER_IMAGE_NAME:base-hardened $DOCKER_NEW_IMAGE_NAME:base-hardened
docker push $DOCKER_NEW_IMAGE_NAME:vuln
docker push $DOCKER_NEW_IMAGE_NAME:base-hardened

Now, there are two images available:

  • elkakimmie/docker-scout/vuln: The initial image with vulnerabilities.

  • elkakimmie/docker-scout/base-hardened: The latest image after fixing CVE-2022-40897 and changing the base image to Alpine.

Activating Image Analysis on Scout¶

Scout image analysis is already available by default for Docker Hub repos. You can find it in your repository settings.

Image Analysis Activation

Alternatively, activate it on Scout repository settings. As of Feb 1, 2024, you can activate analysis for three repositories under the Docker Scout Free plan.

Image Analysis Activation

Once activated, Scout automatically analyzes images upon push, displaying SCOUT ANALYSIS ACTIVE in your repository/general tags section.

Analysis Active

Comparing Images¶

You can compare images using Scout GUI or the docker-scout CLI.

Comparison on Scout

Navigate to Scout, locate your repository in the images section, and compare the two images.

Image Comparison on Scout

Verify the removal of 29 low vulnerabilities.

Comparison Results

Comparison using docker-scout CLI

Compare two images and display differences using the following commands. Consider piping the output to less.

docker login
docker scout config organization <dockerhub-username>
docker scout compare $DOCKER_NEW_IMAGE_NAME:base-hardened --to $DOCKER_NEW_IMAGE_NAME:vuln --ignore-unchanged

CLI Comparison

Analyzing Images Locally

Inspect images locally using the following command:

docker scout quickview $DOCKER_NEW_IMAGE_NAME:base-hardened

BONUS-1: Upgrading Docker Scout on Windows WSL

Execute the following script in your terminal to upgrade Docker Scout on Windows WSL:

curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
docker scout version

Upgrade Docker Scout

BONUS-2: Fixing error storing credentials

If you encounter the following error, try removing ~/.docker/config.json:

Error saving credentials: error storing credentials - err: fork/exec /usr/bin/docker-credential-desktop.exe: exec format error, out: ``

Conclusion¶

To recap, securing Docker images is a critical aspect of maintaining a robust and resilient production environment. Docker Scout proves to be a valuable tool in identifying and addressing vulnerabilities effectively. By following the practical guide outlined in this article, you have gained hands-on experience in securing Docker images, making the production workloads more resilient to potential threats.

References¶

Happy upskilling!

Enjoyed this read?

If you found this guide helpful,check our blog archives 📚✨

  • Follow me on LinkedIn to get updated.

  • Read incredible Kubernetes Stories: Medium

  • Challenging projects: You’re already in the right place.

Until next time!