Modal Title
Containers / Security

Inspect Container Images with the docker scan Command

Review the security of container images and take actions to fix issues, all using the docker scan tool. Find out how, here.
Mar 25th, 2023 6:00am by
Featued image for: Inspect Container Images with the docker scan Command

If you’re serious about container security, then you know it all begins at the beguine…images. No matter how much work you put into locking down your deployments, your network, and your infrastructure, if you base your containers on images with vulnerabilities, those deployments will simply not be secure. And simply trusting that a random image pulled from Docker Hub is enough is a big mistake.

Sure, there are verified images to be had on Docker Hub, but those verifications cost quite a bit for a company, so not every image is verified. And although you can generally trust verified images, it’s best to know, first-hand, that trust is warranted.

And as far as unverified images, every single one you attempt to use could cause you problems. To that end, you must scan them for vulnerabilities. If you find an image contains vulnerabilities, at least you’re informed and, in some cases, you could mitigate a vulnerability by updating the packages contained within an image.

Fortunately, there are a number of tools you can use to scan those images. One such tool is built right into Docker, called docker scan. It’s very easy to use and reports back very simple information about any known vulnerabilities it finds.

Let’s see just how easy the docker scan command is to use.

What You’ll Need

The only things you’ll need for this are an operating system that supports Docker and a user with admin privileges. I’m going to demonstrate on Ubuntu Server 22.04. If you’re using a different platform, you’ll need to only adjust the installation steps for installing Docker. If you already have Docker up and running, you won’t have to worry about installing anything. You’ll also need a valid Docker Hub account and an access token created for this purpose.

Let’s get busy.

Install the Latest Version of Docker

The first thing to do is to add the necessary Docker repository. To do this, you must add the official Docker GPG key with the command:


Next, add the Docker repository:


You’ll then need to install a few dependencies with the command:


Finally, we can install the latest version of the Docker engine with these two commands:


You might also want to install Docker Compose with:


To finish things up, make sure your user is a member of the docker group with the command:


Log out and log back in for the changes to take effect.

Create a Docker Hub Access Token

Log in to your Docker Hub account and click your user profile icon in the top right corner. From the drop-down menu, select Account Settings. In the resulting window, click Security in the left sidebar and then click New Access Token. Name the token something like DOCKER SCAN, give it Read, Write, Delete access, and click Generate.

Once the token has been generated, make sure to copy it to your computer clipboard.

Back at the terminal window, you’ll need to log in to Docker Hub with the command:


When prompted, type your Docker Hub username and then paste the access token into the terminal. Hit Enter and you should be successfully logged in.

Finally, you’ll need to accept the license with the command:


This will accept the license and print out the version of the docker command available on your system.

One thing to keep in mind is that you are limited to 10 scans a month unless you authenticate with a Snyk account. There’s a caveat to doing this in that the machine you are working on must have a web browser. So, if you’re working on a server OS, there must be a GUI because the authentication happens within a web browser.

To do this, you must run the docker scan command like so:


This will generate a link for you to click that will open your default web browser. Follow the prompts to create an account and log in. Once you’ve done that, the authentication will finish and you’re ready to go.

You can now use the docker scan command.

Use the docker scan Command

Let’s run a quick scan on the nginx:latest image. To do that, issue the command:


Docker will pull down the latest NGINX image and scan it for vulnerabilities. In my case, it reported the following:


Next, I tested an image that was created with numerous vulnerabilities (for this very purpose) with the command:

docker scan infoslack/dvwa

The docker scan command pulled down the test image, scanned it for vulnerabilities and came up with the mother load (1101 issues). If you run that command, you’ll find vulnerabilities listed like this:


And there you go. You now have the ability to easily scan Docker images for vulnerabilities. If you run a scan and come across a number of issues, you might want to steer clear of the image you scanned. After all, when you use an image with vulnerabilities, the containers you deploy will also be vulnerable.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Docker.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.