Docker Announces the General Availability of Security Scanning to Safeguard Container Content Across the Software Supply Chain
New container-optimized security service enables granular auditing, vulnerability assessment and ongoing compliance for Docker users
San Francisco– May 10, 2016 – Docker, Inc. today announced announced the general availability of Docker Security Scanning, an opt-in service for Docker Cloud private repo plans that provides a security assessment of the software included in container images. Docker Security Scanning enables detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security across the entire software supply chain. Docker Security Scanning provides binary level scanning, generating a detailed security profile for each Docker image, including details that allow IT operations to assess if the software meets its security compliance standards. The service works seamlessly with existing dev and IT workflows and scans every time a change is shipped, adding a checkpoint before deployment.
"The output data that we received from the Docker Security Scanning proved to be very valuable to us,” said Valentin Chartier, Senior Manager of Cloud Services at HomeByMe-3DVIA, a Dassault Systemes (3DS) company. “This tool is a very effective for reviewing our components and for building a security profile for the images within our scanned private repos. The process is seamless. Our images are scanned from our private repository, hosted within Docker Hub, without having to make any changes to our existing process. Since the tool operates on a binary level, we can trust that all the installed components are scanned."
Docker Security Scanning works across any application and across all major Linux distributions which allow for integration into a Containers as a Service (CaaS) workflow that improves an organization’s security posture through central IT managed secure content. Also released as part of this security enhancement is an update to Docker Bench, which automates validating a host’s configuration against the CIS Benchmark recommendations. With this update, Docker users can implement recommendations from the latest CIS Docker Benchmark to ensure that their platform is configured to be in-line with the best practices outlined for Docker Engine 1.11.
"We’ve made it our goal to secure the global software supply chain from development, test to production,” said Nathan McCauley, Director of Security at Docker. “As with all of Docker’s tooling, Docker Security Scanning works as an integrated component without any disruption to developer productivity. In fact, Docker Security Scanning enables developers to accelerate their workflows while providing greater visibility into the Docker images they choose to run in their environment. In turn, with usable security capabilities and granular control, IT operations is able to flexibly configure the security policies needed to safeguard their infrastructure."
Docker image scanning and vulnerability detection provide a container-optimized capability for granular auditing of images. The results are presented in a Bill of Materials (BOM) containing the details of the image layers and components, along with the security profile of each component. This allows ISVs (Independent Software Vendors) and app teams to make informed decisions regarding that content based on their respective security policies. With this information, ISVs can actively fix vulnerabilities to maintain high-quality security profiles of their content that they can then transparently expose to their end users. Meanwhile, app teams can decide if they want to use an ISV image based on the displayed profile and flexibly use Security Scanning to check the additional code before deciding to deploy.
“After using Docker Security Scanning to inspect our private repo, it became clear to us that the best course of action would be to migrate to a new base image,” said Ami Goldenberg, Co-Founder and CTO at FairFly. “By using this tool, we can be assured that we are building a secure environment for all of our business-critical Dockerized applications.”
“The data provided by Docker Security Scanning allows us to focus on the security of the software we write,” said Matthew Rea, Senior Manager of Engineering at Harbortouch. “It gives us the reassurance we need to know that all the underlying container images have been scanned and are safe to use in an enterprise environment.”
In addition to improving the integrity of container content, Security Scanning streamlines ongoing operations by automating the cumbersome aspects of maintaining software compliance. Previously, IT operations would have to rely on the information published by each ISV on the state of their content to the CVE (Common Vulnerability and Exposures) databases and have to manually monitor the CVE databases for any issues. Docker Security Scanning automates this process and notifies the organization when a CVE is reported for any component within the images, enabling IT to address the issue quickly. With Docker, ISVs will have an opportunity to market their up-to-date secure content, with thorough details on what’s inside the container image, to a user community that is pulling 4,000 containers a minute.
Docker Security Scanning is available today to Docker Cloud users with a private repo plan, expanding to include all Docker Cloud repo users by the end of Q3. Pricing begins at $2 per repo as an add-on service for private repo plans. Docker Security Scanning will also be available as an integrated feature in Docker Datacenter during the second half of 2016.