When it comes to container security, you can’t trust what you haven’t scanned – which is why Docker scanning should be a fundamental pillar of any cloud-native security strategy. By identifying risks and vulnerabilities in container images prior to application deployment, Docker scanning helps organizations get ahead of threats before they turn into breaches.
Keep reading for a breakdown of how Docker scanning works, why it’s important, and how best to integrate scanning into your applications’ Docker lifecycle.
In this article:
What Is Docker Scanning?
Docker scanning is the practice of checking for security risks in container images.
The specific types of risks that Docker scans can detect vary depending on which scanning tool you use. Some scanners only check for major vulnerabilities, but advanced scanners (such as Trivy) can capture a range of threats, including:
- Known security vulnerabilities, meaning security flaws recorded in vulnerability databases.
- Misconfigurations that could trigger security breaches, such as excessive permissions for a container.
- Sensitive data, such as passwords and SSH keys, which are hard-coded into a container image and could be exploited by hackers.
Note as well that the most effective Docker scanners can check the contents not just of a container image itself, but also of any dependencies that a container based on the image will install. Thus, if your image is configured to run commands using a package manager like apt-get or dnf to install additional software when a container starts, and if that software is subject to vulnerabilities, a good Docker scanning tool will report those risks.
Docker Scanning vs. Container Scanning
For the sake of clarity, we should note that the term “Docker scanning” can be a bit confusing. It may sound like it only applies to Docker containers. However, the phrase is frequently used to refer to scanning any type of container image, not just images that are built or run using Docker’s tooling.
This means that if you’re deploying containers on a platform like Kubernetes rather than using Docker’s orchestrator, Swarm, or if you’re using a container runtime other than Docker’s, you can still benefit from Docker scanning. Most Docker scanning tools can work with any type of container image, including but not limited to Docker containers.
Matters might be less confusing if everyone used the term “container scanning” instead of “Docker scanning.” But “Docker scanning” is still a phrase that is widely used to refer to container scanning in any type of environment, probably because Docker was the first major container platform to hit the market. It’s sort of like how folks say “Xerox” to refer to photocopying even if they aren’t using a photocopier made by Xerox specifically, but we digress.
The point here is that Docker scanning is important for virtually any modern, container-based application stack, not just those that depend on Docker specifically.
Scanning’s Role in the Docker Lifecycle
You can scan a container image at any point in the Docker lifecycle – including before or after deploying one or more containers based on the image. However, image scanning is most effective when it occurs prior to application deployment.
The reason why is simple: If you wait until after deploying your app to scan images, any vulnerabilities or other risks you detect will already exist “in the wild” – meaning they are actual threats within your production environment that could affect your business. You can react at that point by fixing the issues and redeploying the app, but it’s better to prevent risks from entering production in the first place.
To maximize your ability to detect security problems before applications are up and running, consider integrating Docker scanning into the CI/CD process by automatically triggering scans whenever a new container image is built. That way, scanning becomes a systematic part of the Docker lifecycle, rather than a one-off process that your team needs to perform manually (and may sometimes forget).
Why Docker Image Scanning is Important
No matter how you choose to operationalize Docker image scanning, the single most important step to take is to ensure that you scan images at some point.
Why? Because Docker image scans are the only way of detecting certain types of risks, such as misconfigured container permission settings. Those risks don’t exist until container images exist, so scanning images after you build them is your only means of catching the problems before you deploy containers into production.
Best practices for Docker vulnerability scanning
To get the most out of Docker scanning, consider these best practices:
- Automate scans: You can initiate scans using most Docker scanning tools manually. But to save time and avoid the risk of forgetting to scan, it’s a best practice to integrate automated scans into your CI/CD process.
- Check for all types of risks: The most effective Docker scanners look not just for vulnerabilities, but also for risks like misconfigured permissions.
- Rescan whenever images change: Every time you update an image – even if the update is as simple as changing one of the instructions inside the image – you should scan it again. Any change could introduce new security vulnerabilities.
- Triage risks: Some Docker security risks are more severe than others. Although you’ll ideally have the resources to mitigate every vulnerability following every scan, you may sometimes have to decide which risks to prioritize. It may be possible to ignore low-severity vulnerabilities, provided you are confident they will not trigger a breach within your environment.
In short, aim to make Docker vulnerability scans as efficient, comprehensive, and impactful as possible.
Docker Security Scanning Tools
There are a variety of Docker security scanning tools available today. The list starts with simple tools, such as Docker’s scanning plugin, which lets you scan images directly from the CLI.
However, tools like Docker’s scan plugin can detect only a limited set of threats, and they are not designed for automated scans. To increase the efficiency of Docker scanning operations and maximize your ability to detect risks of all types, consider a Docker scanning tool like Trivy.
Trivy is an open source Docker image scanner that can detect a wide variety of risks. It also supports both manual and automated scanning, and it delivers detailed reports about the problems it detects inside Docker images.
To get started with Trivy, simply pull and execute its Docker image (or use an alternate installation method):
docker run aquasec/trivy
Then run a scan by specifying an image. For example:
trivy image python:3.4-alpine
In addition, Trivy can scan a file system or directory – making it a handy tool if you want to check for security risks inside a project that you have not yet built into an image or for scanning an unpacked container image file system.
Getting the Most from Docker Scanning
Scanning container images is one of the most critical steps teams can take to get ahead of security threats to containerized apps. The more types of risks your scanner can uncover, the more efficiently you can interpret and react to scan data, and the better positioned you are to stop security vulnerabilities and other threats before they turn into breaches.