Docker Launches a Vulnerability Scanner for Containers
The Docker Cloud hosted container service now offers the ability to scan containers for known security vulnerabilities. The technology behind the security service, called Docker Security Scanning, will also be a core component of the Docker Datacenter, Docker’s software for running a container management service in house.
With the new feature, “You are able to prevent vulnerable software from being deployed in the first place. And if vulnerable software is in there, and vulnerabilities are discovered, we are able to do a patch management process that reduces the time you are exposed,” said Nathan McCauley, Docker security director.
Docker has tested this Docker Security Scanning with selected customers for the past six months, under the name Project Nautilus, where it scanned over 400 million containers. Docker Cloud private repo customers can test the service in a free trial.
As its name states, Docker Security Scanning will compare the contents of a container, by inspecting the binary packages in that container against the Common Vulnerabilities and Exposures (CVE) database, which offers a comprehensive listing of known security vulnerabilities of the most commonly-used open source and proprietary software packages.
In a typical setup, a team of developers may build a Docker image and then push it to the Docker Cloud. Before it is stored in the cloud, the image will be scanned for software packages with known vulnerabilities. It generates a list of all the software packages and libraries it can identify and cross-references them against the CVE list. The developer gets a notification if any vulnerabilities are in the image.
The service, of course, can be embedded within an organization’s security policies and workflow, and even streamline it. The scanning can be easily integrated into continuous integration/continuous delivery (CI/CD) workflows, such that the scanning can be automatically kicked off whenever a developer completes a new container.
Today, most administrators usually only find out about a new high-profile vulnerability through mailing lists or by tech press. Lower profile vulnerabilities may not even be discovered at all. The scanner automates the process of identifying the weak code that could be exploited by attackers.
Worse yet, “developers may not even be aware of vulnerabilities at all,” McCauley said.
In an ideal setup, with the scanner in place, the operations teams could build an image, and then sign it, using Docker Content Trust, in effect blessing the image as being ready to use for developers. Developers can then pull down the approved image to populate with internal programs. Once finished, the image is uploaded to a registry. The scanner shows the results, allowing the developers to update the package if vulnerabilities are eliminated.
When a new vulnerability is discovered, the scanner can review the images already in production, by checking each image’s bill of materials have the new vulnerability. If so, the software sends a notification to the administrator alerting them that the image needs to be replaced by a fresh one with no vulnerabilities.
Because it is based on the CVE, the service won’t identify any vulnerabilities within each organization’s internally-developed code. The organization will still need to do internal code review and auditing for its software.
Docker Inc. is investing the possibility of incorporating static analyzers into the scanner, which could inspect first party code for errors that would lead to security openings. “So far we are just focused on known vulnerability software, but it is conceivable that in the future we could use this mechanism to plug in static analyzers.”
“The output data that we received from the Docker Security Scanning proved to be very valuable to us,” said Valentin Chartier, Senior Manager of Cloud Services at HomeByMe-3DVIA, a 3D home design service, in a statement. “This tool is a very effective for reviewing our components and for building a security profile for the images within our scanned private repos. The process is seamless. Our images are scanned from our private repository, hosted within Docker Hub, without having to make any changes to our existing process.”
I do enjoy a good Linux Kernel exploit on a Friday afternoon… Especially when @docker protects the host from it :) pic.twitter.com/th1US1TapL
— Ben Hall (@Ben_Hall) May 6, 2016
Docker is not alone in offering a scanning service for its customers. CoreOS offers a similar capability with its open source Clair software. Red Hat also offers this capability as does TwistLock.
In addition to making the scanning service generally available, Docker also updated Docker Bench, a script to validate a host’s configuration against the CIS Benchmark recommendations for securing Docker Engine.