Combining Snyk Scans in Docker Desktop and Docker Hub to Deploy Secure Containers

Marina Kvitnitsky

Nov 10 2020

Last week, we announced that the Docker Desktop Stable release includes vulnerability scanning, the latest milestone in our container security solution that we are building with our partner Snyk. You can now run Snyk vulnerability scans directly from the Docker Desktop CLI.  Combining this functionality with Docker Hub scanning functionality that we launched in October provides you with the flexibility of including vulnerability scanning along multiple points of your development inner loop, and provides better tooling for deploying secure applications.

You can decide if you want to run your first scans from the Desktop CLI side, or from the Hub.  Customers that have used Docker for a while tend to prefer starting from the Hub. The easiest way to jump in is to configure the Docker Hub repos to automatically trigger scanning every time that you push an image into that repo. This option is configurable for each repository, so that you can decide how to onboard these scans into your security program. (Docker Hub image is available only for Docker Pro and Team subscribers, for more information about subscriptions visit the Docker Pricing Page.)

Once you enable scanning, you can view the scanning results either in the Docker Hub, or directly from the Docker Desktop app as described in this blog

From the scan results summary you can drill down to first view the more detailed data for each scan and get more detailed information about each vulnerability type. The most useful information in vulnerability data is the Snyk recommendation on how to remediate the detected vulnerability, and if a higher package version is available where the specific vulnerability has already been addressed.  

Detect, Then Remediate 

If you are viewing vulnerability data from the Docker Desktop, you can start remediating vulnerabilities, and testing remediations directly from your CLI.  Triggering scans from Docker Desktop is simple – just run docker scan, and you can run iterative tests that confirm successful remediation before pushing the image back into the Hub.  

For new Docker users, consider running your first scans from the Desktop CLI. Docker Desktop Vulnerability Scanning CLI Cheat Sheet is a fantastic resource for getting started.  

The CLI Cheat Sheet starts from the basics, which are also described in the Docker Documentation page on Vulnerability scanning for Docker local images – including steps for running your first scans, description of the vulnerability information included with each scan result, and docker scan flags that help you specify the scan results that you want to view.  Some of these docker scan flags are – 

  • --dependency-tree - displaying the list of all the package underlying dependencies that include the reported vulnerability
  • --exclude base - running an image scan, without reporting vulnerabilities associated with the base layer
  • --f - including the vulnerability data for the associated Dockerfile 
  • --json - displaying the vulnerability data in JSON format

The really cool thing about this Cheat Sheet is that it shows you how to combine these flags to create a number of options for viewing your data – 

  • Show only high severity vulnerabilities from layers other than the base image: 
    • $ docker scan myapp:mytag --exclude-base \ --file path/to/Dockerfile --json | \ jq '[.vulnerabilities[] | select(.severity=="high")]' 
  • Show high severity vulnerabilities with an CVSSv3 network attack vector: 
    • $ docker scan myapp:mytag --json | \ jq '[.vulnerabilities[] | select(.severity=="high") | select(.CVSSv3 | contains("AV:N"))]' 
  • Show high severity vulnerabilities with a fix available: 
    • $ docker scan myapp:mytag --json | \ jq '[.vulnerabilities[] | select(.nearestFixedInVersion) | select(.severity=="high")]' 

Running the CLI scans and remediating vulnerabilities before you push your images to the Hub, reduces the number of vulnerabilities reported in the Hub scan, providing your team with a faster and more streamlined build cycle  

To learn more about running vulnerability scanning on Docker images, you can watch “Securing Containers Directly from Docker Desktop” session, presented during SnykCon.  This is a joint presentation by Justin Cormack, Docker security lead, and Danielle Inbar, Snyk product manager, discussing what you can do to leverage this new solution in the security programs of your organization