Now that we understand what Docker Scout is, let’s scan our Docker images for security vulnerabilities.
Ensure Docker Scout is installed by running:
docker scout version
If it’s not installed, update Docker to the latest version or manually install it:
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh
Let’s create a Dockerfile with known vulnerabilities to demonstrate Docker Scout’s capabilities:
cat << 'EOF' > Dockerfile.vulnerable
# Build stage
# Using Node.js 12.22.0 which has CVE-2021-22883 (OpenSSL vulnerabilities)
FROM node:12.22.0-alpine as build
WORKDIR /app
ENV DISABLE_ESLINT_PLUGIN=true
# Copy package files and install dependencies
COPY package*.json ./
RUN npm install --no-package-lock --legacy-peer-deps
# Copy the rest of the application code
COPY . .
RUN npm run build
# Production stage
# Using Nginx 1.14.0 which has CVE-2019-9516 (HTTP/2 DoS vulnerability)
FROM nginx:1.14.0-alpine
# Copy the build output to replace the default nginx contents
COPY --from=build /app/build /usr/share/nginx/html
# Copy nginx configuration
COPY nginx.conf /etc/nginx/conf.d/default.conf
# Install additional packages - using a vulnerable version of curl
# CVE-2018-1000120 in curl 7.60.0
RUN apk add --no-cache curl openssl
# Expose port
EXPOSE 80
# Start nginx
CMD ["nginx", "-g", "daemon off;"]
EOF
This Dockerfile intentionally uses:
Build the image using the vulnerable Dockerfile:
docker build -t $DOCKER_USERNAME/rent-a-room:vulnerable -f Dockerfile.vulnerable .
Now let’s scan our vulnerable image:
docker scout quickview $DOCKER_USERNAME/rent-a-room:vulnerable
🔹 This will display a summary of vulnerabilities in the image.
🔹 To get a detailed report, run:
docker scout cves $DOCKER_USERNAME/rent-a-room:vulnerable
Example Output:
🔹 Each outcome is a link to Docker Scout, click to see more
Column | Description |
---|---|
CVE ID | The identifier of the vulnerability. |
Severity | The risk level (Low, Medium, High, Critical). |
Affected Package | The component that contains the vulnerability. |
Remediation | Suggested upgrade or patch. |
We can also scan the application image we built and pushed in the previous section:
docker scout quickview $DOCKER_USERNAME/rent-a-room:latest
docker scout cves $DOCKER_USERNAME/rent-a-room:latest
Compare the results between the vulnerable image and our application image.
Now that we’ve identified vulnerabilities, let’s remediate them in our Dockerfile.
Move to the next section to learn how to fix security issues. 🚀