Docker Security Scanning safeguards the container content lifecycle

written by Lily Guo, Toli Kuznets and Nandhini Santhanam

Today we announced the general availability of Docker Security Scanning, formerly known as Project Nautilus. Available today as an add-on service to Docker Cloud private repositories and for Official Repositories located on Docker Hub, Security Scanning provides a detailed security profile of your Docker images for proactive risk management and to streamline software compliance. Docker Security Scanning conducts binary level scanning of your images before they are deployed, provides a detailed bill of materials (BOM) that lists out all the layers and components, continuously monitors for new vulnerabilities, and provides notifications when new vulnerabilities are found.

 

When you consider the modern software supply chain, it typically includes a number of different development and IT teams in a company coordinating across time zones, stacks and infrastructure to build, ship and run software. The primary concerns of app dev teams are to build the best software and get it to their customer as fast as possible. However, the software supply chain does not stop with developers, it is a continuous loop of iterations, sharing code with teams and moving across environments. Docker makes app portability frictionless and secure by default with a secure platform, controls for secure access and capabilities to secure content. Docker Security Scanning delivers secure content by providing deep insights into Docker images along with a security profile of its components. This information is then available at every stage of the app lifecycle.

Let’s dig into Docker Security Scanning in more detail and walk through how it works.

Docker Security Scanning sits alongside Docker Cloud (and soon with Docker Datacenter) to trigger a series of events once a new image is pushed to a repository. The service includes a scan trigger, the scanner, a database, plugin framework and validation services that connect to CVE databases.

 

Deep visibility into security profile

The Docker Security Scanning service starts when a user/publisher pushes an image to a repo in Docker Cloud. The scanner service takes the image and separates it into its respective layers and components. Then the components are sent to the validation service to check against multiple CVE databases for not only the package name and version, but also a binary level scan of the content inside the package.

This last step is very important because this approach ensures the package is exactly what it claims it is.

A Docker image is made up of many layers and there can be many components/packages in a single layer and each package having a corresponding name and version number. When vulnerabilities are reported to the CVE databases, they are tied to a package name and specific version number.

 

Many services do a simple check of the package names against the database of known packages with issues. This alone is not enough as it does not guarantee an answer to the question of “What’s running in my container?” In addition to checking the package names, we do a binary-level analysis of every layer, and match the underlying signatures of each binary to known components and their versions, and cross reference that with a database of known vulnerabilities. This allows us to find components not only listed in the standard BOM (i.e. dpkg -l or yum list installed), but also any statically linked libraries to correctly identify components whose libraries have been patched and backported to a version that was previously vulnerable. This method reduces the rate of false positives that may occur when previously reported packages are remediated without a package version change and also protects against the situation where someone purposely renames a bad package for distribution.

To help protect you, Docker Security Scanning includes support for a broad range of operating systems including all major Linux distributions and Windows Server, languages and binaries.

Once everything is scanned and results returned, the detailed BOM is generated and stored in the Docker Security Scanning database for each image and tag. The results are sent to Docker Cloud to be presented in the UI along with the BOM for each scanned repo tag.

 

Continuous monitoring and notifications

The ability to scan an image provides insight at a given point in time. Docker Security Scanning goes a step further to make sure your images stay safe with ongoing monitoring and notifications. The Docker Security Scanning database stores the detailed image BOMs and the respective vulnerability status of all the components. When a new vulnerability is reported to a central CVE database, Docker Security Scanning checks our service database to see which images and tags contain that affected package and notify the repo admin via email.

These notifications contain information about the vulnerability itself, as well as list out the repos and tags that contain this vulnerability. With this information, IT teams can proactively manage software compliance requirements by knowing what vulnerabilities impact what pieces of software, reviewing the severity of the vulnerability and making informed decisions on a course of action.

 

Secure across the content lifecycle

Docker Security Scanning is an exciting addition to the Docker workflow to help companies build, ship and run the safest software possible. When combined with Content Trust, you can guarantee that the software is what you say it is, made by who you say it was and that is hasn’t been tampered with along the way. For example, Official Repos have been using Security Scanning since DockerCon EU in Nov 2015 to understand their vulnerability profile, remediate issues and distribute updated images signed with Content Trust. This feature enabled Docker to work with upstream partners to provide better and safer images for you.

 

Availability and Getting Started

Docker Security Scanning is available today in Docker Cloud for private repo plan customers for a limited time free trial. You can also see scan results for Docker’s Official Images on Docker Hub as long as you are logged in, regardless of if you are a subscriber or not. Security scanning will be expanding soon to Docker Datacenter and Docker Cloud public repo users.

Try in Docker Cloud:

To try this feature, go to Account Settings > Plans and select the checkbox. Once activated, the three most recent tags for each private repo will be scanned and the resulting BOM displayed in the tags section within 24 hours. Afterwards, Docker Security Scanning will scan your image tag every time you push.

The screenshot below shows the plans page of a user with a 5 private repo plan. The checkbox to opt-in to Docker Security Scanning appears at the bottom of the Plan summary.

We are so excited about this that we are giving every private repo plan customer a limited time free trial for three months starting today.

If you have a Docker Hub account and have never tried Docker Cloud – don’t worry! Your same login credentials work in Docker Cloud. The native integration ensures that your Docker Hub repos display within the Docker Cloud “Repositories” section. Private repo plans start at $7 per month for 5 private repositories and are available within Docker Cloud.

More Resources for Docker Security Scanning:

• Sign up today for Docker Cloud
• Save your seat for the webinar
• Read the Security Scanning documentation
• Learn more about The Modern App Platform

---

 

Learn More about Docker

• New to Docker? Try our 10 min online tutorial
• Share images, automate builds, and more with a free Docker Hub account
• Read the Docker 1.11 Release Notes
• Subscribe to Docker Weekly
• Sign up for upcoming Docker Online Meetups
• Attend upcoming Docker Meetups
• Watch DockerCon EU 2015 videos
• Start contributing to Docker