Previously I shared how you can scan your Python code for security issues. However, with the increased use of containers in network automation, I wanted to also share with you a way to locally scan your Docker images for security issues/vulnerabilities using the Docker Scan feature.
Docker Scan (Docker Desktop Edge only) scans your local Docker image and returns a list of Common Vulnerabilities and Exposures (CVEs) and available fixes (if available).
Here's an example:
$ docker scan grafana/grafana:latest Testing grafana/grafana:latest... ✗ Low severity vulnerability found in apk-tools/apk-tools Description: CVE-2021-30139 Info: https://snyk.io/vuln/SNYK-ALPINE312-APKTOOLS-1246338 Introduced through: email@example.com From: firstname.lastname@example.org Fixed in: 2.10.6-r0 ... Tested 34 dependencies for known issues, found 1 issue.
You can also include the Dockerfile as part of your scan (shown below), which will result in the vulnerabilities being mapped to the relating Dockerfile commands that introduced them. Love it!
$ docker scan --file Dockerfile grafana/grafana:latest
It's worth noting that you get 10 scans a month by default, which can be increased to 200 scans per month (for free) by logging into the vulnerability scanner provider (snyk.io), like so:
docker scan --login
And there you go! A quick and easy way to security check your Docker images before running or pushing up to your Docker repos.