5 Best Vulnerability Scan Tools for Docker Images

Docker Security Guide Blog Series [Part 2]

NOTE: This is the second part of a blog series.

Part 1: – Introduction to Docker, Security Best Practices, and Scans

Part 2: – Docker Vulnerability Scan Tools

Part 3: – QUALYS – Deploying sensor in AWS ECS Cluster

Index

Part 1: Introduction to Docker, Security Best Practices, and Scans

1. Docker Technology: An Overview
2. Docker Security: A Tricky Way
3. Docker Security Best Practices
4. Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)

Part 3: QUALYS – Deploying sensor in AWS ECS Cluster

1. Login to the Qualys
2. Download the QualysContainerSensor.tar.xz file
3. Download the container sensor.
4. Sensor package operations
5. Push the Qualys sensor image to an AWS ECR repository.
6. Modify the cssensor AWS ECS JSON file
7. Import the JSON file
8. Task execution IAM role configurations
9. Select the AWS Cluster
10. Select the task definition
11. Create task definition
12. Final Qualys Container Security module

1. Docker Vulnerability Scan Overview

As we all know, docker technology brings us many advantages such as:

• Rapid application development,
• Elasticity,
• Scalability,
• Ease of use.

Unfortunately, in addition to these advantages, docker images include many attack surfaces on different layers too. How can we be sure that docker images are free of known vulnerabilities?

We might think that docker images marked as “Trusted” or “Official” are free of vulnerabilities, but this would be a wrong assumption. It means the images are authentic and official releases but they are not necessarily free of vulnerability.

Every day, we face hundreds of new vulnerabilities and different hacking scenarios on libraries and operating systems. How can we handle this issue?

The answer is vulnerability scanning.

Docker image vulnerability scanning could be defined as identifying known security vulnerabilities in the packages listed in the Docker image. Vulnerability scanning allows us to find vulnerabilities in container images and fix them before using or pushing the image to Docker Hub or any Docker registry. In addition, a vulnerability scan provides users with visibility into the security postures of their Docker images.

For detailed information on vulnerability scanning, check out this blog post: Vulnerability Scanning

2. Docker Vulnerability Scan Tools

There are many open-source code tools for Docker vulnerability scanning. We have summarized a few tools and their usage for you:

2.1. Docker Bench for Security

This security tool is based on CIS Docker Benchmarks for all automated scans. Scans can be performed with a docker image or a shell script. Scan results include vulnerabilities related to the host configuration, docker daemon configuration and files, container images and build files, container runtime, Docker security operations, and docker swarm configurations. By using this tool, you will check if you have applied best practices on your docker images and you will be able to get action-related warnings.

The coding below shows how to install all related packages and Docker Bench for Security on Ubuntu 20.04:

$ sudo apt-get install git -y
$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security

After you run your docker images locally, you can run your tests with:

$ sudo sh docker-bench-security.sh

After running tests, an example of scanning results for a running docker image can be seen below:

You may access more details about Docker Bench for Security here.

2.2. Dive

Dive is not exactly a vulnerability scanning tool, but it helps to discover layers and permissions of the docker images. Also, it estimates image efficiency. It shows basic layer info and an experimental metric that will guess how much wasted space your image contains.

To install the Dive environment on Ubuntu 20.04:

$ wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb
$ sudo apt install ./dive_0.9.2_linux_amd64.deb

After installation, you can run Dive with:

$ dive docker <docker_name>

After running tests, an example of scanning results for a running docker image can be seen below:

2.3. InSpec

InSpec is an open-source testing framework for Docker images. You could verify the state of your Docker images against a security or compliance baseline. There are lots of checkpoints for your images such as Linux baseline, CIS Docker Benchmark, etc. You can access them from here.

To install the InSpec environment on Ubuntu 20.04:

$ apt-get -y install ruby ruby-dev gcc g++ make
$ gem install inspec

After installation, you can run Inspec with:

$ inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

After running tests, an example of scanning results for a running docker image can be seen below:

Also see: Methods For Exploiting File Upload Vulnerabilities

2.4. Scan on Push: AWS ECR

Amazon ECR is a service that manages container registries for storing, managing, and deploying container images. If you’re managing your user docker images with AWS ECR, you can scan your images which help to improve the security of your application’s container images. Additionally, you can enable the “scans on push” feature for your repositories to ensure every image automatically goes through vulnerability scanning. AWS ECR uses CVE databases for findings.

To enable the scan on push feature:

$ aws ecr create-repository --repository-name <addyourreponame>
--image-scanning-configuration scanOnPush=true

After pushing your docker images to the cloud, you could see your scan results on the AWS console in detail. After you get results, you can fix vulnerabilities with security updates. An example report can be seen below:

2.5. Trivy

Trivy is an open-source vulnerability scanner for your docker images announced by Aqua Security. In addition to docker images, Trivy can scan your filesystems and git repositories for you. It can detect vulnerabilities in minutes and be suitable for CI & CD processes. Trivy can be installed in many Linux distributions easily. It lists vulnerabilities and related libraries with detailed information such as the installed library version on the docker, the fixed version that should be installed, severity level, etc.

To install all related packages and Docker Bench for Security on Ubuntu 20.04:

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

After installation, you can run Trivy with:

$trivy image [YOUR_IMAGE_NAME]

After running tests, an example of scanning results for a running docker image can be seen below:

Conclusion

This blog post has provided an overview of Docker vulnerability scanning and management tools.

• We have explored the importance of vulnerability scanning and the potential vulnerabilities that may be present in Docker images.
• We have talked about Docker vulnerability scan and management tools, Docker Bench for Security, Trivy, Inspec, AWS ECR, and Dive.
• Furthermore, we have introduced the Qualys container sensor and how it can be used to scan for vulnerabilities in Docker images.

By following the steps outlined in this blog post, you can ensure that your Docker images are free from known vulnerabilities and that you have taken the necessary security precautions to protect your applications.

In Part 3 – QUALYS Deploying sensor in AWS ECS Cluster blog, we show you all the required steps to deploy the sensor in AWS ECS Cluster. Click here to read it now!

Check out our Cloud Security and Vulnerability Management services to stay secure!