5 Best Vulnerability Scanning Tools for Docker Images

May 11, 2021



Docker Security Guide Blog Series [Part 2]

NOTE: This is the second part of a blog series.

Part 1: - Introduction to Docker, Security Best Practices and scans

Part 2: - Docker Vulnerability Scan Tools

Part 3: - QUALYS - Deploying sensor in AWS ECS Cluster

Overview

In Part 1, we have talked about Docker technology in detail and reviewed some docker security best practices. In addition, we have briefly discussed some docker vulnerability scanning tools. As a continuation of Part 1, we will examine 5 docker vulnerability scan and management tools and provide you with the installation and usage guides. If you want to use these tools with us, please use Ubuntu 20.04 as your operating system. Let's start now!

Index

Part 1: Introduction to Docker, Security Best Practices and scans

  1. Docker Technology: An Overview
  2. Docker Security: A Tricky Way
  3. Docker Security Best Practices
  4. Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)

Part 2: Docker Vulnerability Scanning

Part 3: QUALYS - Deploying sensor in AWS ECS Cluster

  1. Login to the Qualys
  2. Download the QualysContainerSensor.tar.xz file
  3. Download the container sensor.
  4. Sensor package operations
  5. Push the Qualys sensor image to an AWS ECR repository.
  6. Modify the cssensor AWS ECS JSON file
  7. Import the JSON file
  8. Task execution IAM role configurations
  9. Select the AWS Cluster
  10. Select the task definition
  11. Create task definition
  12. Final Qualys Container Security module

 

1. Docker Vulnerability Scan Overview

Docker Vulnerability Scan Overview icon

As we all know, docker technology brings us many advantages such as rapid application development, elasticity, scalability, and ease of use. Unfortunately, in addition to these advantages, docker images include many attack surfaces on different layers too. How can we be sure that docker images are free of known vulnerabilities? We might think that docker images marked as “Trusted” or “Official” are free of vulnerabilities, but this would be a wrong assumption. It means the images are authentic and official releases but they are not necessarily free of vulnerability. Every day, we face hundreds of new vulnerabilities and different hacking scenarios on libraries and operating systems. How can we handle this issue? The answer is vulnerability scanning. Docker image vulnerability scanning could be defined as identifying known security vulnerabilities in the packages listed in the Docker image. Vulnerability scanning allows us to find vulnerabilities in container images and fix them before using or pushing the image to Docker Hub or any Docker registry. In addition, a vulnerability scan provides users with visibility into the security postures of their Docker images.

2. Docker Vulnerability Scan Tools

There are many open-source code tools for Docker vulnerability scanning. We have summarized a few tools and their usage for you:

2.1. Docker Bench for Security

This security tool is based on CIS Docker Benchmarks for all automated scans. Scans can be performed with a docker image or a shell script. Scan results include vulnerabilities related to the host configuration, docker daemon configuration and files, container images and build file, container runtime, Docker security operations, and docker swarm configurations. By using this tool, you will check if you have applied best practices on your docker images and you will be able to get action-related warnings. The coding below shows how to install all related packages and Docker Bench for Security on Ubuntu 20.04:


$ sudo apt-get install git -y
$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security

After you run your docker images locally, you can run your tests with:

$ sudo sh docker-bench-security.sh

After running tests, an example of scanning results for a running docker image can be seen below:

screenshot shows an example of  Docker Bench for Security results

You may access more details about Docker Bench for Security here.

2.2. Dive

Dive is not exactly a vulnerability scanning tool, but it helps to discover layers and permissions of the docker images. Also, it estimates image efficiency. It shows basic layer info and an experimental metric that will guess how much wasted space your image contains. To install Dive environment on Ubuntu 20.04:

$ wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb
$ sudo apt install ./dive_0.9.2_linux_amd64.deb

After installation, you can run Dive with:

$ dive docker <docker_name>

After running tests, an example of scanning results for a running docker image can be seen below:

screenshot shows an example of Dive results

2.3. Inspec

InSpec is an open-source testing framework for Docker images. You could verify the state of your Docker images against a security or compliance baseline. There are lots of checkpoints for your images such as Linux baseline, CIS Docker Benchmark, etc. You can access them from here. To install Inspec environment on Ubuntu 20.04:

$ apt-get -y install ruby ruby-dev gcc g++ make
$ gem install inspec

After installation, you can run Inspec with:

$ inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

After running tests, an example of scanning results for a running docker image can be seen below:

screenshot shows an example of Inspec results

screenshot shows an example of Inspec results

2.4. Scan on Push: AWS ECR

aws ecr icon Amazon ECR is a service that manages container registries for storing, managing, and deploying container images. If you’re managing your user docker images with AWS ECR, you can scan your images that help to improve the security of your application’s container images. Additionally, you can enable the “scans on push” feature for your repositories to ensure every image automatically goes through a vulnerability scanning. AWS ECR uses CVE databases for findings. To enable scan on push feature:

$ aws ecr create-repository --repository-name <addyourreponame>
--image-scanning-configuration scanOnPush=true

After pushing your docker images to the cloud, you could see your scan results on the AWS console in detail. After you get results, you can fix vulnerabilities with security updates. An example report can be seen below:

Screenshot shows AWS ECR Scanning results

2.5. Trivy

Trivy is an open-source vulnerability scanner for your docker images announced by Aqua Security. In addition to docker images, Trivy can scan your filesystems and git repositories for you. It can detect vulnerabilities in minutes and be suitable for CI & CD processes. Trivy can be installed in many Linux distributions easily. It lists vulnerabilities and related libraries with detailed information such as installed library version on the docker, the fixed version that should be installed, severity level, etc. To install all related packages and Docker Bench for Security on Ubuntu 20.04:

$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy

After installation, you can run Trivy with:

$trivy image [YOUR_IMAGE_NAME]

After running tests, an example of scanning results for a running docker image can be seen below:

Screenshot shows an example of Trivy result

Conclusion

In Part 2, “Docker Vulnerability Scanning”, of our blog series, we have talked about Docker vulnerability scan and management tools, Docker Bench for Security, Trivy, Inspec, AWS ECR, and Dive. In addition to all of these, docker images are scanned to check the presence of any vulnerabilities by the Qualys container sensor. We will show you all the required steps to deploy the sensor in AWS ECS Cluster in Part 3 - QUALYS Deploying sensor in AWS ECS Cluster. Stay tuned!