Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

How To Scan Docker Images for Vulnerabilities

For any software development project, it is essential that the components of the software are not susceptible to any vulnerabilities. The case is no different when working in Docker, where images should be checked for vulnerabilities before being uploaded to Docker Hub or another registry. To take advantage of Docker’s benefits, learn about its containerized architecture and how to scan Docker images for vulnerabilities.

Containers and Images

Containers and images are part of what is called a containerized architecture. A schema like this allows for software to be packaged into isolated units that can run in any environment. These isolated units are called containers.

What is unique about such an architecture is that it facilitates portability, since containers can be moved to different platforms without destroying their integrity. This contrasts with traditional software practices, where moving between platforms almost always causes incompatibilities and other issues. The cornerstone of containerized architecture is its use of containers and images.   

Images 

A container image serves as a description of a container environment. Because they consist of a bunch of files, such as source code, binaries, and other dependencies, container images are able to be deployed as container environments upon command. Images, therefore, serve as a kind of blueprint or model for a type of container.

Images are immutable, which means that they cannot be changed. They consist of a base image (also called a parent image) upon which other layers can be added. The benefit of these layers is that they enable easy reuse of components of images across different images, and therefore can help reduce container size and enhance performance.

In Docker, images can be created with Dockerfiles. Dockerfiles are text documents that contain all the necessary information to create images. The benefit of Dockerfiles is that they are human-readable, and thus do not require the user to be well-versed in executing operations in the command line.

Another way to create images is retroactively from containers. Given a container, it is possible to modify the container environment and then save it as a new image.

Containers 

A container is what becomes of a container image at runtime. If a container image is like an abstract blueprint or model, then containers are the real things.

While there is a unique version of a container image, there is no limit to the number of containers that can be deployed from that container image. Therefore, it is possible that multiple containers with a single container image are running at once.

Containers are similar to virtual machines, but there are some crucial differences. Whereas multiple containers can share the same operating system kernel, this is not the case for virtual machines. To run multiple virtual machines at the same time, each of them must have a copy of an operating system, binaries, libraries, and the application, which takes up a lot of space. Since containers do not require the same amount of copying of data, they tend to be faster.

The Benefits of Containerized Architecture 

Containerized architecture is the name of the type of architecture characterized by the image and container schema discussed above. Whereas virtual machines simplified the use of multiple operating systems to be deployed on a single server, container architectures take this a step further by enabling multiple containers to share the same operating system kernel.

Some of the many benefits of containerized architecture are:

  • Lightweight: Containers run without an OS, and this makes them very lightweight in comparison to virtual machines, for instance.
  • OS independent: Since containers do not run on an OS, there is less need to worry about platform dependence.
  • Faster ready to compute: Unlike virtual machines, containers can be started or stopped within seconds.
  • Lower costs: This is because multiple containers can be run on a single virtual machine.
  • Fast deployment: New containers can be quickly deployed, as they can also be quickly terminated.
  • Resilience: Redeploying a new container from the same image is easy, so if a container fails it is not a big problem.

Scanning Docker Images for Vulnerabilities 

It is important to know whether a Docker image that is being used has any vulnerabilities, especially if this image is to be uploaded to a registry, such as Docker Hub. Fortunately, Docker images can be scanned to detect such security vulnerabilities that might be present in some of the packages listed in a Docker image.

The simple command docker scan <image-name> can scan an image immediately after build, therefore finding any vulnerabilities that may be present in the image. The user then simply needs to fix these vulnerabilities before uploading to a registry. To double-check that the vulnerabilities have been correctly fixed, simply run the docker scan <image-name> command again: If no other vulnerabilities are detected, then the image is good to go.

The Importance of Scanning Images for Vulnerabilities 

It is important to scan Docker images to ensure that they are free from vulnerabilities before uploading them to a registry like Docker Hub. If Docker images that contain vulnerabilities are uploaded, then those who install the images may end up with buggy software. Thus, to ensure that users are installing good software, it is essential to check that the software is free from vulnerabilities. Likewise, when downloading a Docker image to use, checking it for vulnerabilities is always a good practice.

The Different Types of Security Scanning 

The security scanning measures listed above are not necessarily sufficient to scan for all vulnerabilities. It is possible that some vulnerabilities may escape detection by some Docker commands. Because of this, it is important to be aware of other vulnerability scanning options for Docker containers that may be of service when other options fail. Some types of tools that may be of use are:

  • Open-source software: These tools are beneficial for a number of reasons, one of which is the fact that open-source software is transparent, meaning that programmers can look inside the code if they want to. Another benefit is that anyone can become a developer in an open-source software community, and devs are able to construct more tools to their own liking that can also benefit the community at large. 
  • Network configuration: Problems with Docker image port and network configuration can be identified with suitable software.
  • User-defined policy: These tools are great for those who would like to have more direct control over vulnerability scanning, as they allow the user to define the security policies used when scanning container images.  
  • Identity and access management: It is important for containers not to have access to too many of your resources. Identity and access management tools help to ensure that this does not happen.

Using a combination of these tools can drastically increase the strength of your security management, as each of these tools facilitates targeting and managing particular types of vulnerabilities. However, keep in mind that regardless of how many procedures are being employed, it is still possible for vulnerabilities to remain undetected. Therefore it is essential to always ensure good security practices. Many software tools provide constant monitoring, so that if something does go wrong, the developer will be notified.

Fortunately, there are platforms with the sole purpose of providing software security to companies and developers. SOOS’s software composition analysis solution takes the hassle out of scanning your open source software for vulnerabilities allowing developers to focus less on software security and more on their projects.

Docker Image Scanning: The Final Analysis

Containerized architectures have much to offer in terms of efficiency. The image-container schema provides many benefits that other architectures do not and is a revolutionary step in software design architecture. Nonetheless, Docker images must still be probed for vulnerabilities, and that is why it is necessary to have a robust collection of tools for scanning Docker images. While Docker itself has some tools for scanning images, there are many other tools that are more specialized, and thus provide scanning functionalities that are targeted toward specific issues. If you are going to upload a Docker image to Docker Hub or any other registry, it is important to ensure that it is free of vulnerabilities, which is why it is important to employ Docker image scanning tools to detect as many vulnerabilities as possible. Luckily, SOOS can help with this, providing software composition analysis with unlimited scans at an unbeatable price

Copyright © 2022 SOOS| Terms of Service | Privacy Policy