• TechOps Examples
  • Posts
  • Detecting and Mitigating Image Vulnerabilities with Docker Scout

Detecting and Mitigating Image Vulnerabilities with Docker Scout

In partnership with

Good day. It's Friday, Sep. 20, and in this issue, we're covering:

  • Detecting and Mitigating Image Vulnerabilities with Docker Scout

  • GitGuardian: The State of SECRETS SPRAWL 2024

  • AWS Database Migration Service Now Includes Enhanced Monitoring

  • How to Keep Docker Secrets Secure: Complete Guide

  • GitOps-style continuous delivery with Google Cloud Build

  • DevOps resources - Linux, Jenkins, AWS, Docker, Kubernetes, Terraform and more..

Use Case

Detecting and Mitigating Image Vulnerabilities with Docker Scout

DockerHub images contain thousands of secrets and vulnerabilities – This is no longer a hot news.

How many take real action in mitigating it?

Am I doing it? That is the real question.

As per the latest Cybernews research:

  • 5,493 Docker Hub images contain secrets, accounting for 54% of the 10,178 analyzed.

  • These leaky containers have been downloaded more than 132 billion times, exposing secrets on servers globally.

  • The exposed secrets range from harmless API keys to sensitive information that could result in unauthorized access, data breaches, or even identity theft.

Ref: cybernews

This isn't just a theoretical thesis. Back in early 2021, something serious happened with Codecov, a popular code coverage tool.

What happened?

  • Initial access: Attackers found Git credentials inside Codecov's Docker image and used them to break in.

  • The breach: They changed a bash script that was used by many developers in their CI pipelines. This allowed the attackers to steal more sensitive information.

  • Persistence: The attackers went further by targeting CI environments, grabbing even more Git credentials from over 20,000 Codecov customers.

This incident shows how one small vulnerability in a Docker image can lead to much bigger problems, exposing entire systems to attacks.

Once you know the risks of exposed secrets and vulnerabilities, the next step is action. This is where Docker Scout can help. Docker Scout scans the Docker images for vulnerabilities and gives you recommendations on how to fix them.

While tools like GitGuardian, Trivy, and Snyk exist, Docker Scout is a native option, integrated into Docker, making it a seamless choice for vulnerability management.

Increase Your Amazon Position Before Oct Prime Day

Send free products to Micro-Influencers using the platform Stack Influence which automates influencer collaborations at scale (get thousands of collabs per month). Brands like Magic Spoon, Unilever, and Farmacy have been able to get to #1 page positioning on Amazon and increase their monthly revenue as high as 13X in as little as 2 months.

  • Pay influencers only with products

  • Increase external traffic Amazon sales

  • Get full rights image/video UGC

Increase your listings search positioning before Oct Prime Day is upon us!

Here’s a simple guide on how to use Docker Scout:

1.Start by scanning your Docker image:

In this example, we initiate the scan with the following command:

docker scout cve <image>:<tag/version>

docker scout cve jboss/wildfly:9.0.1.Final

[Note: jboss/wildfly is no longer supported on DockerHub. I chose it to highlight the intensity and volume of vulnerabilities. You can try any other image]

This command run will analyze the image and check for any vulnerabilities. The output (as seen below) will list the vulnerabilities found, including critical, high, medium, and low-risk issues.

2.Understanding the results:

Once Docker Scout completes the scan, it will present a summary of the issues. For example, you might see a report like this:

  • 32 Critical vulnerabilities

  • 149 High-risk vulnerabilities

  • 235 Medium-risk vulnerabilities

  • 79 Low-risk vulnerabilities

Each of these vulnerabilities is tied to specific packages inside the image (in this case, 99 vulnerable packages in total). Docker Scout makes it easy to pinpoint which packages are problematic.

3.Get remediation recommendations:

Docker Scout doesn’t just point out the problems; it also gives you recommendations for fixing them. For example, if a base image is outdated, Docker Scout might suggest updating to a newer version that resolves several vulnerabilities.

You’ll see a prompt like this in the output:

View base image update recommendations -> docker scout recommendations jboss/wildfly:9.0.1.Final

Running this will provide detailed suggestions on which base images to use to mitigate vulnerabilities.

4.Follow the remediation steps:

After getting the recommendations, you’ll likely need to update your Dockerfile to use the newer, more secure base image. For instance, the recommendation might be to update from CentOS 7.9 to a newer tag, which fixes multiple vulnerabilities:

  • 1 Critical vulnerability removed

  • 16 High-risk vulnerabilities resolved

  • 42 Medium-risk vulnerabilities fixed

  • 16 Low-risk vulnerabilities addressed

After updating your base image, simply rebuild your Docker image and run the scan again to ensure that the vulnerabilities have been mitigated.

Remember, Leaving any secrets exposed while uploading your images online or consuming from online poses a high risk of threat actors finding them.

2024 is 72% complete. Start the idea you’ve been holding.

Tool Of The Day

OpenGitOps  - A CNCF Sandbox project to define a vendor-neutral, principle-led meaning of GitOps

Trends & Updates

Resources & Tutorials

Picture Of The Day

Certified Kubernetes Administrator vs Kubernetes Expert (10,000+ Pods Managed, 50+ Clusters Deployed)

Did someone forward this email to you? Sign up here

Interested in reaching smart techies?

Our newsletter puts your products and services in front of the right people - engineering leaders and senior engineers - who make important tech decisions and big purchases.