Secure from the Start: Shift Vulnerability Scanning Left in Docker Desktop

Marina Kvitnitsky

Sep 15 2020

Application delivery velocity can be tripped up when security vulnerabilities are discovered after an app is deployed into production. Nothing is more detrimental to shipping new features to customers than having to go back and address vulnerabilities discovered in an app or image you already released. At Docker, we believe the best way to balance the needs for speed and security is to shift security left in the app delivery cycle as an integral part of the development process. 

Integrating security checks into Docker Scan was the driver behind the partnership with Snyk, one of the leading app security scan providers in the industry. This partnership, announced in May of this year, creates a vision for a simple and streamlined approach for developers to build and deploy secure containers. And today, I’m excited to share that the latest Docker Desktop Edge release includes Snyk vulnerability scanning. This allows Docker users to trigger local Docker file and local image scans directly from the Docker Desktop CLI. With the combination of Docker Scan and Snyk, developers gain visibility into open source vulnerabilities that can have a negative impact on the security of container images. Now you can extend your workflow to include vulnerability testing as part of your inner development loop. Triggered from the Docker Desktop CLI, the Snyk vulnerability scans extend the existing, familiar process of vulnerability detection, and allow for remediation of vulnerabilities earlier in the development process. This process of simple and continuous checks leads to fewer vulnerabilities checked into Docker Hub, a shorter CI cycle, and faster and more reliable deployment into production. 

With that, let me show you how it works.

To begin, authenticated Docker users can start by running their scans by entering these Docker CLI commands –

  • To find their local image

$docker pull username/imageName

  • And run a scan

$docker scan username/imageName

The Docker scan CLI command supports several flags, providing options for running scans 

  • --exclude-base flag excludes base image vulnerabilities from the CLI scan results, allowing user to reduce the volume of reported vulnerabilities, and focus vulnerability reporting on their own image updates
  • --json flag displays scan results in JSON format
  • --dependency-tree flag provides the mapping of image dependencies before listing vulnerability data
  • --f, --file flag indicates the location of the Dockerfile associated with the image, extending  vulnerability scanning results using the contents of the Dockerfile to further identify potential vulnerabilities across all the image manifests

You can also add multiple flags  in a single CLI command, for additional flexibility in consuming vulnerability data. Scans return scanned image data, including:

  • Vulnerability descriptions
  • Vulnerability severities
  • Image layer associated with the vulnerability,  including the Dockerfile command, if you’ve associated the Dockerfile with the scan
  • Exploit maturity, so you can easily identify which vulnerabilities have a known functioning exploit
  • Available suggestions for remediation,  rebuilding if the base image is out-of-date, slimmer alternative images that can help reduce vulnerabilities, or package upgrades that resolve a vulnerability

Invoking scanning through Docker Desktop CLI allows you to iteratively test for new vulnerabilities, while working on image updates, by:

  • Making image updates
  • Running a scan 
  • Discovering new vulnerabilities introduced with the latest updates
  • Making more updates to remove these vulnerabilities
  • Confirming vulnerability removal by running another scan

You can start taking advantage of this today in the latest release of Docker Desktop Edge.

After you download the new bits, you can get more comprehensive details on the scan functionality in the Docker documentation.

Finally, we have an upcoming webinar that takes you through the inner workings of the enhanced security capabilities in this new release. You can get more information and sign up for the webinar at this link. 

And stay tuned for further updates on triggering vulnerability scans from the Docker Hub.  

Next steps:

Sign up for a free Snyk ID and Read the Snyk blog to learn more about the integration