Docker Scout vs Scan

Mohammad-Ali A'RÂBI - Apr 6 '23 - - Dev Community

Vulnerability scanning for local Docker images was introduced in late 2020 with the command docker scan. The Docker Scan command would use Snyk's engine to scan Docker images for security vulnerabilities and create a list of Common Vulnerabilities and Exposures (CVEs).

Around a month ago, Docker introduced their own security scanning command, docker scout, deprecating docker scan. After the SBOM hype of late and the introduction of the Docker command docker sbom a few months back, it was a more achievable goal for Docker to develop their own security solution based on the already available toolchain.

This piece would briefly introduce and compare the two Docker subcommands.

Command Interface

Both the Scan and Scout commands, when introduced, came bundled into Docker Desktop. Installation of a CLI extension was required for non-Desktop users (e.g. people running the Docker engine natively on Linux).

I’m running Docker Desktop 4.17.0 on Mac (M2 processor). Let’s try to see the Docker Scan version:

docker scan --version
Enter fullscreen mode Exit fullscreen mode

Here is the output:

  │ The  docker scan  command is deprecated and will no longer be supported after April 13th, 2023.
  │ Run the  docker scout cves  command to continue to get vulnerabilities on your images or install the Snyk CLI.
  │ See https://www.docker.com/products/docker-scout for more details.


the Snyk version 1.1056.0 installed on your system is older as the one embedded by Docker Desktop (>=1.1064.0), using embedded Snyk version instead

Version:    v0.25.0
Git commit: 284fb08
Provider:   Snyk (1.1064.0)
Enter fullscreen mode Exit fullscreen mode

In around a week, Docker will stop supporting Docker Scan, and users who still want to use Snyk for scanning their Docker images should install Snyk's CLI directly.

Now let’s try checking Docker Scout’s version:

docker scout version
Enter fullscreen mode Exit fullscreen mode
version: v0.6.0 (go1.19.5 - darwin/arm64)
git commit: aabe2bfd192f7ac8cbfa4afea647b4dc41d3d30d
Enter fullscreen mode Exit fullscreen mode

To scan an image with Docker Scan, one should’ve used the following command:

docker scan <image>
Enter fullscreen mode Exit fullscreen mode

With Docker Scout, the following command interface is used:

docker scout cves <image>
Enter fullscreen mode Exit fullscreen mode

As of Docker Desktop 4.17, version and cves were the only two subcommands available for docker scout, but this interface design hinted at having more subcommands in the future. This happened with Docker Desktop 4.18 that was published yesterday, and a few more commands where added:

docker scout --help
Enter fullscreen mode Exit fullscreen mode
Usage:  docker scout COMMAND

Command line tool for Docker Scout

Commands:
  compare         [early preview] Compare two images and display differences
  cves            Display CVEs identified in a software artifact
  quickview       Quick overview of an image
  recommendations Display available base image updates and remediation recommendations
  version         Show Docker Scout version information

Run 'docker scout COMMAND --help' for more information on a command.
Enter fullscreen mode Exit fullscreen mode

To learn more about these commands, please refer to the following article:

Comparison of Results

To see how different the formatting of the results of the two commands is, let's scan the same image with both: aerabi/git-weekly which is the Docker image that contains my Git Weekly Docker Desktop Extension. I have compared the CVEs in the base image, so the printed output is a part of the original output the commands would give.

docker scan aerabi/git-weekly
Enter fullscreen mode Exit fullscreen mode
✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: CVE-2022-4304
  Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314623
  Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
  From: openssl/libcrypto1.1@1.1.1q-r0
  From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
  From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
  and 4 more...
  Fixed in: 1.1.1t-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Double Free
  Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
  Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
  From: openssl/libcrypto1.1@1.1.1q-r0
  From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
  From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
  and 4 more...
  Fixed in: 1.1.1t-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Access of Resource Using Incompatible Type ('Type Confusion')
  Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
  Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
  From: openssl/libcrypto1.1@1.1.1q-r0
  From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
  From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
  and 4 more...
  Fixed in: 1.1.1t-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Use After Free
  Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314643
  Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
  From: openssl/libcrypto1.1@1.1.1q-r0
  From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
  From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
  and 4 more...
  Fixed in: 1.1.1t-r0
Enter fullscreen mode Exit fullscreen mode

The Docker Scan report says the Alpine package openssl/libcrypto1.1 has 4 issues, 3 with high severity and 1 medium, and all are fixed in version 1.1.1t-r0.

docker scout cves aerabi/git-weekly
Enter fullscreen mode Exit fullscreen mode
Analyzing image aerabi/git-weekly
    ✓ SBOM of image already cached, 31 packages indexed
    ✗ Detected 5 vulnerable packages with a total of 19 vulnerabilities

0C    1H    3M    0L  openssl 1.1.1q-r0
pkg:alpine/openssl@1.1.1q-r0?os_name=alpine&os_version=3.16

    ✗ MEDIUM CVE-2022-4450 [Double Free]
      https://dso.docker.com/cve/CVE-2022-4450
      Affected range : <1.1.1t-r0
      Fixed version  : 1.1.1t-r0
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ MEDIUM CVE-2023-0215 [Use After Free]
      https://dso.docker.com/cve/CVE-2023-0215
      Affected range : <1.1.1t-r0
      Fixed version  : 1.1.1t-r0
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2023-0286 [Access of Resource Using Incompatible Type ('Type Confusion')]
      https://dso.docker.com/cve/CVE-2023-0286
      Affected range : <1.1.1t-r0
      Fixed version  : 1.1.1t-r0
      CVSS Score     : 7.4
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

    ✗ MEDIUM CVE-2022-4304
      https://dso.docker.com/cve/CVE-2022-4304
      Affected range : <1.1.1t-r0
      Fixed version  : 1.1.1t-r0
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Enter fullscreen mode Exit fullscreen mode

In the Docker Scout report, the package is listed as pkg:alpine/openssl and 4 CVEs are listed, of which 1 has high severity and 3 are medium. Similarly, they are all fixed in the version 1.1.1t-r0.

Both commands also reported CVEs for Go packages, that are not included in the comparison here.

SARIF Output

SARIF, the Static Analysis Results Interchange Format, is a standard, JSON-based format for the output of static analysis tools. In this article, we used the SARIF output of a Docker image scan to show the vulnerabilities in a GitHub pull request.

With Docker Scout, one can specify SARIF output:

docker scout cves aerabi/git-weekly \
    --format sarif \
    --output git-weekly.sarif.json
Enter fullscreen mode Exit fullscreen mode

Snyk's support for SARIF outputs didn't end up in the Docker Scan command though. To export a SARIF file with Snyk's engine, one should use Snyk's CLI directly.

The Docker Scan command does include a --json flag that would output the CVEs in JSON format, but it’s not SARIF-compatible.

Licensing

As documented in Docker Scout's introduction article, it is only available for paid Docker subscriptions. Docker Scan uses one's Snyk account and hence Snyk's subscription model; it's also available for Snyk's free plan which allows one to perform 100 scans a month.

Final Words

Docker Scout is still an early-access product and will most likely have rapid changes in the short future.

This article was originally published on my Medium blog: aerabi.medium.com. This version is slightly different, as I have updated it with the latest Docker Desktop version that was published yesterday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .