What is Docker?

Docker revolutionizes the way we develop applications. Applications often can fall into a pit of having many languages, frameworks, architectures, and different tools for development. Docker helps to make it easier and faster to develop and deploy applications for desktop and the cloud. It works by containerizing applications and isolating their app from its environment. If you would like to learn more, please visit this Docker tutorial for more information on how it works!

Why is container image security important?

Making sure your container image has few or no vulnerabilities is important for cybersecurity reasons. Having vulnerabilities in your container image can cost your company millions of dollars in fines, lost productivity, and sales. Having a well-maintained container image prevents issues from deployment and prevents customer data from being leaked. Containerizing applications have grown worldwide and will continue to grow in the next decade. Many bad actors will try and take advantage of those unaware of container image vulnerabilities.

Check out this how-t0-video to learn the importance of container security and follow along with the steps below.


Prerequisites

Before we start scanning local Docker images, make sure you have Docker installed using your preferred platform here.

For this tutorial, we will be using the terminal to interact with the docker daemon. You must sign in to DockerHub via the command line using:

docker login

Enter your credentials. If you haven't already made an account on DockerHub please visit the sign-up page!

Scanning Docker images with 'docker scan'

Once you have completed the requirements this will be simple to follow. Thanks to the partnership between Snyk and Docker, Snyk has provided a scanning tool for Docker images. For this example, we containerized a simple NodeJS app that interacts with our HacWare API. You can find the project here. In this example, we will have our project on the desktop.

  1. Open a terminal and create a project folder containing the app. Move into the root directory of the project folder.
cd DockerScanTutorial

2. The directory must have the Dockerfile. Now let us build our Docker image. You can view the image you built afterward.

docker build . -t nodejs-app
docker images

3. After you built the image, we will get a detailed report on both the image and the Dockerfile used to build it. Here is where we use 'docker scan.' If this is your first scan, you must consent to access Snyk, a third-party provider. This warning will pop up only once. You can visit their privacy policies here.

docker scan --file Dockerfile nodejs-app

The Docker scan output

When you enter the command, you shall see the daemon respond with a message saying it has started scanning. The time varies depending on the size of the image and its base image. Grab a drink.

Waiting for the scan to finish

The docker scan will finalize and print out several things that we will talk about. Let's check it out!

The Docker scan output

The scan output lists various details about the image. Starting at the top, the package manager that is used is deb, this is a package manager used in Unix-like systems. Our image type is using this for our platform which is Linux/amd64. The target file is the file we chose to be scan as well as our docker image. Again, it also lists our project name for more visibility. Lastly, it states our base image, if you have worked with a Dockerfile before you know that this is what our Docker image is built off of. This is where most of the vulnerabilities come from.

Take a look at some of the vulnerabilities discovered by the scan.

High severity vulnerabilities
Medium severity vulnerabilities

After listing details of our Docker image and what it scanned, it lists the number of tested dependencies and  how many vulnerabilities came up. As you can see, our base image node:14 contains 535 vulnerabilities! Not great, but thanks to Snyk, it recommends a list of updated base images that we can use to rebuild our image.

Rebuilding our docker image and running the scan again

  1. Before we look at our Dockerfile and replace the base image node:14, always make sure if your NodeJS app dependencies are up to date. Since we provided a simple NodeJS application, let us change the versions manually.
"dependencies": {
    "axios": "^0.21.1",
    "dotenv": "^10.0.0",
    "express": "^4.17.0"
}

We will update these to the latest versions as of this post's date.

2. Now let's rebuild our Docker image. Edit the Dockerfile using your preferred code editor. Change the base image from 'node:14' to 'node:16.4.1-slim' which is one of the base images the vulnerability scanner recommended.

FROM node:16.4.1-slim

WORKDIR /usr/src/app

COPY package*.json ./

RUN npm install

COPY . .

EXPOSE 8080

CMD [ "node", "server.js" ]

3. Rebuild the image and rescan the docker image!

docker build . -t nodejs-app-fix
docker scan --file Dockerfile nodejs-app-fix
Scanning the new docker image

The updated Docker image scan output

The Docker scan output for our updated image

As you can see, we have removed 476 vulnerabilities from the last image we built. Also, thanks to Docker’s partner Snyk which makes this scan possible, we can see we are up to date with the most secure version of the selected base image. Please take a look at any images you currently use and scan them to make sure they are up to date with the securest version.

Final thoughts

Furthermore, if you want more options in scanning your docker image or want cloud scanning, sign up at Snyk.  You can always refer to the Docker documentation in case something feels new or want to learn more about docker scan or Docker itself! Always make sure your container images are up-to-date with the latest base images. We must prevent bad actors from stealing our information or harming our business!

Want to Learn More about our Cybersecurity API?

HacWare makes it stupid easy for software developers to launch next-generation cybersecurity education programs to combat phishing attacks with a few lines of code.  To learn more about our powerful security awareness API and developer program, click here to apply.

References

  1. https://docs.docker.com/engine/scan/
  2. https://www.docker.com/why-docker
  3. https://snyk.io/learn/container-security/
  4. https://snyk.io/blog/snyk-container-image-security-scanning-directly-from-docker-desktop/
  5. https://www.hacware.com/doc/index.html

HacWare makes it super easy for Software Developers and IT teams to launch hyper custom cybersecurity education solutions to combat phishing attacks. Learn more about HacWare at hacware.com.

Also, check out our free secure code streams on Twitch!