written by Lily Guo, Toli Kuznets and Nandhini Santhanam
Today we announced the general availability of Docker Security Scanning, formerly known as Project Nautilus. Available today as an add-on service to Docker Cloud private repositories and for Official Repositories located on Docker Hub, Security Scanning provides a detailed security profile of your Docker images for proactive risk management and to streamline software compliance. Docker Security Scanning conducts binary level scanning of your images before they are deployed, provides a detailed bill of materials (BOM) that lists out all the layers and components, continuously monitors for new vulnerabilities, and provides notifications when new vulnerabilities are found.
When you consider the modern software supply chain, it typically includes a number of different development and IT teams in a company coordinating across time zones, stacks and infrastructure to build, ship and run software. The primary concerns of app dev teams are to build the best software and get it to their customer as fast as possible. However, the software supply chain does not stop with developers, it is a continuous loop of iterations, sharing code with teams and moving across environments. Docker makes app portability frictionless and secure by default with a secure platform, controls for secure access and capabilities to secure content. Docker Security Scanning delivers secure content by providing deep insights into Docker images along with a security profile of its components. This information is then available at every stage of the app lifecycle.
Let’s dig into Docker Security Scanning in more detail and walk through how it works.
Deep visibility into security profile
The Docker Security Scanning service starts when a user/publisher pushes an image to a repo in Docker Cloud. The scanner service takes the image and separates it into its respective layers and components. Then the components are sent to the validation service to check against multiple CVE databases for not only the package name and version, but also a binary level scan of the content inside the package.
This last step is very important because this approach ensures the package is exactly what it claims it is.
A Docker image is made up of many layers and there can be many components/packages in a single layer and each package having a corresponding name and version number. When vulnerabilities are reported to the CVE databases, they are tied to a package name and specific version number.
dpkg -l or yum list installed), but also any statically linked libraries to correctly identify components whose libraries have been patched and backported to a version that was previously vulnerable. This method reduces the rate of false positives that may occur when previously reported packages are remediated without a package version change and also protects against the situation where someone purposely renames a bad package for distribution.
To help protect you, Docker Security Scanning includes support for a broad range of operating systems including all major Linux distributions and Windows Server, languages and binaries.
Once everything is scanned and results returned, the detailed BOM is generated and stored in the Docker Security Scanning database for each image and tag. The results are sent to Docker Cloud to be presented in the UI along with the BOM for each scanned repo tag.
Continuous monitoring and notifications
The ability to scan an image provides insight at a given point in time. Docker Security Scanning goes a step further to make sure your images stay safe with ongoing monitoring and notifications. The Docker Security Scanning database stores the detailed image BOMs and the respective vulnerability status of all the components. When a new vulnerability is reported to a central CVE database, Docker Security Scanning checks our service database to see which images and tags contain that affected package and notify the repo admin via email.
These notifications contain information about the vulnerability itself, as well as list out the repos and tags that contain this vulnerability. With this information, IT teams can proactively manage software compliance requirements by knowing what vulnerabilities impact what pieces of software, reviewing the severity of the vulnerability and making informed decisions on a course of action.
Secure across the content lifecycle
Docker Security Scanning is an exciting addition to the Docker workflow to help companies build, ship and run the safest software possible. When combined with Content Trust, you can guarantee that the software is what you say it is, made by who you say it was and that is hasn’t been tampered with along the way. For example, Official Repos have been using Security Scanning since DockerCon EU in Nov 2015 to understand their vulnerability profile, remediate issues and distribute updated images signed with Content Trust. This feature enabled Docker to work with upstream partners to provide better and safer images for you.
Availability and Getting Started
Docker Security Scanning is available today in Docker Cloud for private repo plan customers for a limited time free trial. You can also see scan results for Docker’s Official Images on Docker Hub as long as you are logged in, regardless of if you are a subscriber or not. Security scanning will be expanding soon to Docker Datacenter and Docker Cloud public repo users.
Try in Docker Cloud:
To try this feature, go to Account Settings > Plans and select the checkbox. Once activated, the three most recent tags for each private repo will be scanned and the resulting BOM displayed in the tags section within 24 hours. Afterwards, Docker Security Scanning will scan your image tag every time you push.
The screenshot below shows the plans page of a user with a 5 private repo plan. The checkbox to opt-in to Docker Security Scanning appears at the bottom of the Plan summary.
If you have a Docker Hub account and have never tried Docker Cloud – don’t worry! Your same login credentials work in Docker Cloud. The native integration ensures that your Docker Hub repos display within the Docker Cloud “Repositories” section. Private repo plans start at $7 per month for 5 private repositories and are available within Docker Cloud.
More Resources for Docker Security Scanning:
- Sign up today for Docker Cloud
- Save your seat for the webinar
- Read the Security Scanning documentation
- Learn more about The Modern App Platform
Learn More about Docker
- New to Docker? Try our 10 min online tutorial
- Share images, automate builds, and more with a free Docker Hub account
- Read the Docker 1.11 Release Notes
- Subscribe to Docker Weekly
- Sign up for upcoming Docker Online Meetups
- Attend upcoming Docker Meetups
- Register for DockerCon 2016
- Watch DockerCon EU 2015 videos
- Start contributing to Docker
Chris Close
May 10, 2016 at 4:11 pm
Hey, is there a way to enable this for an organisation account?
Victor Coisne
May 12, 2016 at 2:30 pm
Support for organizations is coming later, working on that right now
David
May 10, 2016 at 5:27 pm
Hi Toli,
How can I view the security scan on https://hub.docker.com/_/ghost/ ?
Love this!
David
Victor Coisne
May 12, 2016 at 2:30 pm
You need to be logged in to Hub to see scan results
David
May 13, 2016 at 6:30 pm
I'm logged in to Hub. It looks like the scan feature is not available for https://hub.docker.com/_/ghost/ ?
I do not own this repo. I use it, and want to have a fresh scan each time I do. possible?
Thanks, David
Toli Kuznets
August 7, 2016 at 4:10 pm
David,
The images are scanned, and appear that way to me when I am logged on.
Contact me directly if you are still having issues.
Giampiero Gabbiani
May 12, 2016 at 12:36 am
Hi Toli,
very interesting article.
We are testing on premis, a Docker Datacenter based solution for running enterprise application on containers.
Some questions about this topic:
– Will be possible to bring such a service on premis?
– Will be possible to customize the policies according to enterprise specific security rules (our customer has very challenging requirements)?
– Is this solution based on Notary project or it is a completely new one?
Many thanks in advance
Giampiero
Victor Coisne
May 12, 2016 at 2:31 pm
A. on-premise DDC scanning is coming, working on that.
B. We will have some amount of customization, don’t have it finalized yet, but will definitely listen to customer feedback
C. Scanning is a separate solution, it hooks into Notary only when you decide to sign images that pass the scans
Stefan Lueders
May 12, 2016 at 6:36 am
Hello !
Great tool!!!!
Any chance to be able to install/port it towards local installations not using Docker Hub (we run our own Docker instance…)?
Cheers, S>>L
Toli Kuznets
May 12, 2016 at 5:49 pm
Docker Security Scanning will be integrated with Docker Data Center in the future.
We don't have plans to integrate it with other self-hosted local instances yet.
Gio
May 17, 2016 at 11:50 am
It was really nice to see all those images we depend on heavily being scanned. Not so nice that they had lots of vulnerabilities but it was nice of Docker to offer this service for official images.
I just can't find that information anymore on Docker Hub. I hope it is a temporary hiccup and we'll see the security scanning results again there 🙂
Toli Kuznets
May 18, 2016 at 11:15 am
Gio,
Weird – I can see the Official Images scans on Hub just fine, you just need to be logged in.
If you are still experiencing problems, please open a ticket with our support and we'll figure out what the issue is.
Mihoko
May 18, 2016 at 12:32 am
Hi,
I am curious about how you guys dealing with the vulnerability? is there a chance you can share more detail?
Toli Kuznets
May 18, 2016 at 11:19 am
For Official Images, when a new vulnerability is discovered we reach out to the upstream maintainers or app developers, and apply any available patches and rebuild images as soon as possible.
We've worked closely with Canonical, for example, to get Ubuntu images cleaned up; and we did the same with Debian and Alpine teams as well.
If the patch is not yet available, we apply them whenever the upstream gets fixed. For some images, we've created the pull requests to have the fixes be applied upstream so that the fixes benefit everybody.
Jay K
July 14, 2016 at 9:55 am
Is this solution available for private enterprise registries?
Toli Kuznets
July 25, 2016 at 10:19 am
Not yet – we are working on integrating the scanning solution with Docker Trusted Registry and make it part of Docker Data Center, that's coming later this year.
Toli Kuznets
February 27, 2017 at 11:48 am
And now it is – the latest release of Docker Data Center has on-premises scanning integrated with the offering.
So you can have this solution for private enterprise registries, see https://www.docker.com/products/docker-datacenter
sokisoba
June 14, 2017 at 12:50 pm
This link gets redirected to the toolbox.
I'm guessing the correct link is: https://www.docker.com/enterprise-edition#/container_management
Donislav
October 11, 2016 at 8:24 am
May I please ask you to elaborate more on the layers scanning concept? I am submitting an image that was build by apt-get upgrade on one layer then on next few layers I put another repo and upgrade certain packages so they are with higher versions and the final image. But with this layered concept you report this image has vulnerabilities because on the lower layers these same packages are with lower versions although in the final image they are fine!
Toli Kuznets
March 21, 2017 at 6:07 pm
Your observations are the intended behaviour.
If you have some vulnerable components in the intermediate layers, we will still report them for that layer even if the final image is "free of vulnerabilities".
It is what it is – the vulns are there, and we show them.
If possible, use a newer base image that has resolved the vulnerability (we update base images frequently); or make the appropriate modifications if you own the base image as well.
niraj vara
October 24, 2016 at 10:25 pm
Hi
After free scan how to proceed with other scan ? where get the further details of it ???
can I run the security scan on my own created images ????
Toli Kuznets
February 27, 2017 at 11:49 am
Niraj,
You can enable scanning for your own private images through the Docker Cloud UI, in the settings. See the docs at https://docs.docker.com/docker-cloud/builds/image-scan/
Toli Kuznets
October 26, 2016 at 3:16 pm
If you have multiple layers, and one of them has a vulnerability we will report it, even if a different layer overwrites the file so that the resulting binary is different.
You technically have the vuln in your image, so we report it.
Is it possible for you to update the actual layer that contains the vulnerability?
If you are basing on a base layer, we update those as soon as they are fixed, so you will need to rebuild your image.
Connie
March 16, 2017 at 11:44 am
Is there a way to see a list of vulnerabilities at the end? I understand the base layers need to get fixed but maybe we don't want to update them as often. If I update a vulnerable component in another layer then it's been fixed. This final summary list of vulnerabilities would be useful.
Toli Kuznets
March 21, 2017 at 6:09 pm
That's an excellent feature request – reporting all the vulnerabilities is currently on our roadmap, we'll work on getting that out sometime soon.
Georg Sauthoff
March 19, 2017 at 5:37 am
Where should I report Docker Security Scanning service bugs?
For example false positives.
Example:
https://hub.docker.com/r/library/fedora/tags/25/ currently lists CVE-2016-7543 for bash 4.3.43.
But I've checked it and the included bash-4.3.43-4.fc25.x86_64 isn't vulnerable.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1379634
http://seclists.org/oss-sec/2016/q3/617
Toli Kuznets
March 21, 2017 at 6:10 pm
You can report false positives by clicking the "Provide Feedback" link, and sending us the information by email.
We take false positives seriously, and we'll work to clean them up.
Ingo Maas
May 29, 2017 at 12:43 am
Two month later, CVE-2016-7543 is still reported for library/fedora:latest. Is there any progress in fixing false positives?
Toli Kuznets
May 30, 2017 at 2:50 pm
Ingo,
We are in the middle of a big push to clean up all the RedHat variants – RHEL, Fedora and CentOS right now.
So a major cleanup of false positives in RedHat-derivatives is coming.
About CVE-2016-7543 specifically – isn't it still applicable according to https://access.redhat.com/security/cve/CVE-2016-7543? Feel free to email us directly via the "Provide Feedback" link at the top of the scan page.
Xiang Cai
December 19, 2017 at 10:56 pm
We have several private repositories in Docker Cloud, but we cannot get vulnerabilities report after images pushed.
I enabled Firebug to trace response when viewing images tag list, and found error message:
{
"Code": 404,
"Message": "Failed to validate user with error: [Not nautilus enabled]"
}
While in another organization, the same Docker ID can view vulnerabilities reports from other private repos.
Would someone advise why we cannot get vulnerabilities reports here?
Victor Coisne
December 20, 2017 at 9:41 am
Hi Xiang – please create a support ticket via support@docker.com and share more information about the namespace/org where it is occurring ?