- TechOps Examples
- Posts
- Detecting and Mitigating Image Vulnerabilities with Docker Scout
Detecting and Mitigating Image Vulnerabilities with Docker Scout
Good day. It's Friday, Sep. 20, and in this issue, we're covering:
Detecting and Mitigating Image Vulnerabilities with Docker Scout
GitGuardian: The State of SECRETS SPRAWL 2024
AWS Database Migration Service Now Includes Enhanced Monitoring
How to Keep Docker Secrets Secure: Complete Guide
GitOps-style continuous delivery with Google Cloud Build
DevOps resources - Linux, Jenkins, AWS, Docker, Kubernetes, Terraform and more..
Use Case
Detecting and Mitigating Image Vulnerabilities with Docker Scout
DockerHub images contain thousands of secrets and vulnerabilities – This is no longer a hot news.
How many take real action in mitigating it?
Am I doing it? That is the real question.
As per the latest Cybernews research:
5,493 Docker Hub images contain secrets, accounting for 54% of the 10,178 analyzed.
These leaky containers have been downloaded more than 132 billion times, exposing secrets on servers globally.
The exposed secrets range from harmless API keys to sensitive information that could result in unauthorized access, data breaches, or even identity theft.
Ref: cybernews
This isn't just a theoretical thesis. Back in early 2021, something serious happened with Codecov, a popular code coverage tool.
What happened?
Initial access: Attackers found Git credentials inside Codecov's Docker image and used them to break in.
The breach: They changed a bash script that was used by many developers in their CI pipelines. This allowed the attackers to steal more sensitive information.
Persistence: The attackers went further by targeting CI environments, grabbing even more Git credentials from over 20,000 Codecov customers.
This incident shows how one small vulnerability in a Docker image can lead to much bigger problems, exposing entire systems to attacks.
Once you know the risks of exposed secrets and vulnerabilities, the next step is action. This is where Docker Scout can help. Docker Scout scans the Docker images for vulnerabilities and gives you recommendations on how to fix them.
While tools like GitGuardian, Trivy, and Snyk exist, Docker Scout is a native option, integrated into Docker, making it a seamless choice for vulnerability management.
Increase Your Amazon Position Before Oct Prime Day
Send free products to Micro-Influencers using the platform Stack Influence which automates influencer collaborations at scale (get thousands of collabs per month). Brands like Magic Spoon, Unilever, and Farmacy have been able to get to #1 page positioning on Amazon and increase their monthly revenue as high as 13X in as little as 2 months.
Pay influencers only with products
Increase external traffic Amazon sales
Get full rights image/video UGC
Increase your listings search positioning before Oct Prime Day is upon us!
Here’s a simple guide on how to use Docker Scout:
1.Start by scanning your Docker image:
In this example, we initiate the scan with the following command:
docker scout cve <image>:<tag/version>
docker scout cve jboss/wildfly:9.0.1.Final
[Note: jboss/wildfly is no longer supported on DockerHub. I chose it to highlight the intensity and volume of vulnerabilities. You can try any other image]
This command run will analyze the image and check for any vulnerabilities. The output (as seen below) will list the vulnerabilities found, including critical, high, medium, and low-risk issues.
2.Understanding the results:
Once Docker Scout completes the scan, it will present a summary of the issues. For example, you might see a report like this:
32 Critical vulnerabilities
149 High-risk vulnerabilities
235 Medium-risk vulnerabilities
79 Low-risk vulnerabilities
Each of these vulnerabilities is tied to specific packages inside the image (in this case, 99 vulnerable packages in total). Docker Scout makes it easy to pinpoint which packages are problematic.
3.Get remediation recommendations:
Docker Scout doesn’t just point out the problems; it also gives you recommendations for fixing them. For example, if a base image is outdated, Docker Scout might suggest updating to a newer version that resolves several vulnerabilities.
You’ll see a prompt like this in the output:
View base image update recommendations -> docker scout recommendations jboss/wildfly:9.0.1.Final
Running this will provide detailed suggestions on which base images to use to mitigate vulnerabilities.
4.Follow the remediation steps:
After getting the recommendations, you’ll likely need to update your Dockerfile
to use the newer, more secure base image. For instance, the recommendation might be to update from CentOS 7.9
to a newer tag, which fixes multiple vulnerabilities:
1 Critical vulnerability removed
16 High-risk vulnerabilities resolved
42 Medium-risk vulnerabilities fixed
16 Low-risk vulnerabilities addressed
After updating your base image, simply rebuild your Docker image and run the scan again to ensure that the vulnerabilities have been mitigated.
Remember, Leaving any secrets exposed while uploading your images online or consuming from online poses a high risk of threat actors finding them.
2024 is 72% complete. Start the idea you’ve been holding.
Tool Of The Day
OpenGitOps - A CNCF Sandbox project to define a vendor-neutral, principle-led meaning of GitOps
Trends & Updates
Resources & Tutorials
Picture Of The Day
Certified Kubernetes Administrator vs Kubernetes Expert (10,000+ Pods Managed, 50+ Clusters Deployed)
Did someone forward this email to you? Sign up here