Wednesday, 14 April 2021

New day, new Docker, new capability - image scanning

 Whilst I was upgrading some of my Ubuntu boxes the other day, I noticed a new plugin - docker-scan-plugin - in the list of things being upgraded.

A quick Google brought me this: -

Vulnerability scanning for Docker local images

Having since upgraded Docker on my Mac: -

docker version

Client: Docker Engine - Community
 Cloud integration: 1.0.12
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:13:00 2021
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true
Server: Docker Engine - Community
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:15:47 2021
  OS/Arch:          linux/amd64
  Experimental:     false
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
  Version:          0.19.0
  GitCommit:        de40ad0

I checked my available images: -

docker images

busybox       latest    388056c9a683   6 days ago    1.23MB
tekton-lint   latest    b79680846c0c   10 days ago   93.1MB

and then scanned one of them: -

docker scan busybox

Docker Scan relies upon access to Snyk, a third party provider, do you consent to proceed using Snyk? (y/N)

Testing busybox...

Organization:      undefined
Package manager:   linux
Project name:      docker-image|busybox
Docker image:      busybox
Platform:          linux/amd64

✓ Tested busybox for known vulnerabilities, no vulnerable paths found.

Note that we do not currently have vulnerability data for your image.

For more free scans that keep your images secure, sign up to Snyk at

Definitely a nice capability to have in the kitbag - we're also using IBM Container Registry's built-in Vulnerability Advisor tool, but more insights are better than fewer ....

No comments:

Yay, VMware Fusion and macOS Big Sur - no longer "NAT good friends" - forgive the double negative and the terrible pun ...

After macOS 11 Big Sur was released in 2020, VMware updated their Fusion product to v12 and, sadly, managed to break Network Address Trans...