Inspect Container Images with the docker scan Command

If you’re serious about container security, then you know it all begins at the beguine…images. No matter how much work you put into locking down your deployments, your network, and your infrastructure, if you base your containers on images with vulnerabilities, those deployments will simply not be secure. And simply trusting that a random image pulled from Docker Hub is enough is a big mistake.
Sure, there are verified images to be had on Docker Hub, but those verifications cost quite a bit for a company, so not every image is verified. And although you can generally trust verified images, it’s best to know, first-hand, that trust is warranted.
And as far as unverified images, every single one you attempt to use could cause you problems. To that end, you must scan them for vulnerabilities. If you find an image contains vulnerabilities, at least you’re informed and, in some cases, you could mitigate a vulnerability by updating the packages contained within an image.
Fortunately, there are a number of tools you can use to scan those images. One such tool is built right into Docker, called docker scan. It’s very easy to use and reports back very simple information about any known vulnerabilities it finds.
Let’s see just how easy the docker scan command is to use.
What You’ll Need
The only things you’ll need for this are an operating system that supports Docker and a user with admin privileges. I’m going to demonstrate on Ubuntu Server 22.04. If you’re using a different platform, you’ll need to only adjust the installation steps for installing Docker. If you already have Docker up and running, you won’t have to worry about installing anything. You’ll also need a valid Docker Hub account and an access token created for this purpose.
Let’s get busy.
Install the Latest Version of Docker
The first thing to do is to add the necessary Docker repository. To do this, you must add the official Docker GPG key with the command:
1 |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg |
Next, add the Docker repository:
1 |
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null |
You’ll then need to install a few dependencies with the command:
1 |
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release -y |
Finally, we can install the latest version of the Docker engine with these two commands:
1 2 3 |
sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io -y |
You might also want to install Docker Compose with:
1 |
sudo apt-get install docker-compose -y |
To finish things up, make sure your user is a member of the docker group with the command:
1 |
sudo usermod -aG docker $USER |
Log out and log back in for the changes to take effect.
Create a Docker Hub Access Token
Log in to your Docker Hub account and click your user profile icon in the top right corner. From the drop-down menu, select Account Settings. In the resulting window, click Security in the left sidebar and then click New Access Token. Name the token something like DOCKER SCAN, give it Read, Write, Delete access, and click Generate.
Once the token has been generated, make sure to copy it to your computer clipboard.
Back at the terminal window, you’ll need to log in to Docker Hub with the command:
1 |
docker login |
When prompted, type your Docker Hub username and then paste the access token into the terminal. Hit Enter and you should be successfully logged in.
Finally, you’ll need to accept the license with the command:
1 |
docker scan --accept-license --version |
This will accept the license and print out the version of the docker command available on your system.
One thing to keep in mind is that you are limited to 10 scans a month unless you authenticate with a Snyk account. There’s a caveat to doing this in that the machine you are working on must have a web browser. So, if you’re working on a server OS, there must be a GUI because the authentication happens within a web browser.
To do this, you must run the docker scan command like so:
1 |
docker scan --login |
This will generate a link for you to click that will open your default web browser. Follow the prompts to create an account and log in. Once you’ve done that, the authentication will finish and you’re ready to go.
You can now use the docker scan command.
Use the docker scan Command
Let’s run a quick scan on the nginx:latest image. To do that, issue the command:
1 |
docker scan nginx:latest |
Docker will pull down the latest NGINX image and scan it for vulnerabilities. In my case, it reported the following:
1 2 3 4 5 6 7 8 9 |
Testing nginx:latest... Organization: xxx-k42 Package manager: maven Target file: /usr/share/java Project name: nginx:latest:/usr/share/java Docker image: nginx:latest Licenses: enabled ✔ Tested nginx:latest for known issues, no vulnerable paths found. |
Next, I tested an image that was created with numerous vulnerabilities (for this very purpose) with the command:
docker scan infoslack/dvwa
The docker scan command pulled down the test image, scanned it for vulnerabilities and came up with the mother load (1101 issues). If you run that command, you’ll find vulnerabilities listed like this:
1 2 3 4 5 6 7 8 9 |
High severity vulnerability found in apt/libapt-pkg4.12 Description: Improper Certificate Validation Info: https://security.snyk.io/vuln/SNYK-UBUNTU1404-APT-407425 Introduced through: apt/libapt-pkg4.12@1.0.1ubuntu2.10, apt@1.0.1ubuntu2.10, apt/libapt-inst1.5@1.0.1ubuntu2.10, apt/apt-utils@1.0.1ubuntu2.10, ubuntu-meta/ubuntu-minimal@1.325 From: apt/libapt-pkg4.12@1.0.1ubuntu2.10 From: apt@1.0.1ubuntu2.10 > apt/libapt-pkg4.12@1.0.1ubuntu2.10 From: apt/libapt-inst1.5@1.0.1ubuntu2.10 > apt/libapt-pkg4.12@1.0.1ubuntu2.10 and 7 more... Fixed in: 1.0.1ubuntu2.17 |
And there you go. You now have the ability to easily scan Docker images for vulnerabilities. If you run a scan and come across a number of issues, you might want to steer clear of the image you scanned. After all, when you use an image with vulnerabilities, the containers you deploy will also be vulnerable.