Even if you have strong host-level security, infected containers can give attackers a foothold in your system. You can reduce this risk by using Docker Bench and active container vulnerability scanners such as Docker scan (snyk), Grype, Trivy, and Clair. These will help you identify issues in the container, such as outdated dependencies that may be exploited.

Scan Docker local images for vulnerabilities with docker scan

image.png

Vulnerability scanning of Docker native images allows developers and development teams to view the security status of container images and take action to fix issues found during the scan, resulting in safer deployments. Docker Scan runs on the Snyk engine and provides users with visibility into the security posture of their local Dockerfiles and local images.

$ docker scan --accept-license --version

Version: v0.16.0
Git commit: e135637
Provider: Snyk (1.809.0)

macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12

Testing postgres: 12...

✗ Low severity vulnerability found in tar
  Description: CVE-2005-2541
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.34+dfsg-1

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in apt/libapt-pkg6.0
  Description: Improper Verification of Cryptographic Signature
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
  Introduced through: postgresql-12@12.9-1.pgdg110+1
  From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg- keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
  From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg- keyring@2018.2 > apt@2.2.4

✗ High severity vulnerability found in perl/perl-base
  Description: Improper Verification of Cryptographic Signature
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
  Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
  From: perl/libperl5.32@5.32.1-4+deb11u2
  From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
  and 4 more.

✗ High severity vulnerability found in libgcrypt20
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
  Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
  From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
  From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
  and 9 more.

✗ Critical severity vulnerability found in glibc/libc-bin
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
  Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
  From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
  From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
  From: glibc/locales@2.31-13+deb11u2
  and 2 more.


Package manager: deb
Project name: docker-image|postgres
Docker image: postgres:12
Platform: linux/amd64
Base image: postgres:12.9-bullseye

Tested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

Vulnerability scanner for container images and filesystems using Grype

image.png

Grype is a vulnerability scanner for container images and filesystems. Easily install binaries to try them out. Works with Syft, a powerful SBOM (Software Bill of Materials) tool for container images and filesystems.

Install

recommend

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...or, you can specify a release version and destination directory for the installation:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>

brew

brew tap anchore/grype
brew install grype

Note: Currently, Grype is only available for macOS and Linux.

$ grype k8s.gcr.io/kube-scheduler:v1.22.5 --scope all-layers

✔ Vulnerability DB [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages [3 packages]
 ✔ Scanned image [0 vulnerabilities]

No vulnerabilities found


macpro$ grype postgres:12 --scope all-layers
 ✔ Vulnerability DB [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages [718 packages]
 ✔ Scanned image [550 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apt 2.2.4 CVE-2011-3374 Negligible
coreutils 8.32-4+b1 (won't fix) CVE-2016-2781 Low
coreutils 8.32-4+b1 CVE-2017-18018 Negligible
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f ​​Medium
libapt-pkg6.0 2.2.4 CVE-2011-3374 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-bin 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-bin 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-bin 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc-l10n 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc6 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc6 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc6 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc6 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc6 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc6 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libgcrypt20 1.8.7-6 (won't fix) CVE-2021-33560 High
libgcrypt20 1.8.7-6 CVE-2018-6829 Negligible
libgnutls30 3.7.1-5 CVE-2011-3389 Medium
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u-2019-19882 Negligible
perl 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-base 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-base 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-modules-5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-modules-5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
tar 1.34+dfsg-1 CVE-2005-2541 Negligible

Hardening a Docker image involves scanning it for vulnerabilities, building a new image with additional mitigations, and then using that version as the basis for your application. You need to scan and rebuild images regularly to ensure they contain the latest packages and patches. It is a best practice to incorporate hardening into your image build pipeline.

Remember, container security best practices include more than just the delivered applications and container images themselves. You also need to include a full stack of components for building, distributing, and specifically executing containers.

One of the focuses of cloud-native security is to address container security risks as quickly as possible. Doing so late in the development lifecycle can slow the pace of cloud adoption while increasing security and compliance risks.

Likes(0)

Comment list count 0 Comments

No Comments