Vulnerability scanning for local Docker images was introduced in late 2020 with the command docker scan
. The Docker Scan command would use Snyk's engine to scan Docker images for security vulnerabilities and create a list of Common Vulnerabilities and Exposures (CVEs).
Around a month ago, Docker introduced their own security scanning command, docker scout
, deprecating docker scan
. After the SBOM hype of late and the introduction of the Docker command docker sbom
a few months back, it was a more achievable goal for Docker to develop their own security solution based on the already available toolchain.
This piece would briefly introduce and compare the two Docker subcommands.
Command Interface
Both the Scan and Scout commands, when introduced, came bundled into Docker Desktop. Installation of a CLI extension was required for non-Desktop users (e.g. people running the Docker engine natively on Linux).
I’m running Docker Desktop 4.17.0 on Mac (M2 processor). Let’s try to see the Docker Scan version:
docker scan --version
Here is the output:
│ The docker scan command is deprecated and will no longer be supported after April 13th, 2023.
│ Run the docker scout cves command to continue to get vulnerabilities on your images or install the Snyk CLI.
│ See https://www.docker.com/products/docker-scout for more details.
the Snyk version 1.1056.0 installed on your system is older as the one embedded by Docker Desktop (>=1.1064.0), using embedded Snyk version instead
Version: v0.25.0
Git commit: 284fb08
Provider: Snyk (1.1064.0)
In around a week, Docker will stop supporting Docker Scan, and users who still want to use Snyk for scanning their Docker images should install Snyk's CLI directly.
Now let’s try checking Docker Scout’s version:
docker scout version
version: v0.6.0 (go1.19.5 - darwin/arm64)
git commit: aabe2bfd192f7ac8cbfa4afea647b4dc41d3d30d
To scan an image with Docker Scan, one should’ve used the following command:
docker scan <image>
With Docker Scout, the following command interface is used:
docker scout cves <image>
As of Docker Desktop 4.17, version
and cves
were the only two subcommands available for docker scout
, but this interface design hinted at having more subcommands in the future. This happened with Docker Desktop 4.18 that was published yesterday, and a few more commands where added:
docker scout --help
Usage: docker scout COMMAND
Command line tool for Docker Scout
Commands:
compare [early preview] Compare two images and display differences
cves Display CVEs identified in a software artifact
quickview Quick overview of an image
recommendations Display available base image updates and remediation recommendations
version Show Docker Scout version information
Run 'docker scout COMMAND --help' for more information on a command.
To learn more about these commands, please refer to the following article:
Comparison of Results
To see how different the formatting of the results of the two commands is, let's scan the same image with both: aerabi/git-weekly
which is the Docker image that contains my Git Weekly Docker Desktop Extension. I have compared the CVEs in the base image, so the printed output is a part of the original output the commands would give.
docker scan aerabi/git-weekly
✗ Medium severity vulnerability found in openssl/libcrypto1.1
Description: CVE-2022-4304
Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314623
Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
From: openssl/libcrypto1.1@1.1.1q-r0
From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
and 4 more...
Fixed in: 1.1.1t-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Double Free
Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
From: openssl/libcrypto1.1@1.1.1q-r0
From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
and 4 more...
Fixed in: 1.1.1t-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Access of Resource Using Incompatible Type ('Type Confusion')
Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
From: openssl/libcrypto1.1@1.1.1q-r0
From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
and 4 more...
Fixed in: 1.1.1t-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Use After Free
Info: https://security.snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314643
Introduced through: openssl/libcrypto1.1@1.1.1q-r0, openssl/libssl1.1@1.1.1q-r0, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r17
From: openssl/libcrypto1.1@1.1.1q-r0
From: openssl/libssl1.1@1.1.1q-r0 > openssl/libcrypto1.1@1.1.1q-r0
From: apk-tools/apk-tools@2.12.9-r3 > openssl/libcrypto1.1@1.1.1q-r0
and 4 more...
Fixed in: 1.1.1t-r0
The Docker Scan report says the Alpine package openssl/libcrypto1.1
has 4 issues, 3 with high severity and 1 medium, and all are fixed in version 1.1.1t-r0
.
docker scout cves aerabi/git-weekly
Analyzing image aerabi/git-weekly
✓ SBOM of image already cached, 31 packages indexed
✗ Detected 5 vulnerable packages with a total of 19 vulnerabilities
0C 1H 3M 0L openssl 1.1.1q-r0
pkg:alpine/openssl@1.1.1q-r0?os_name=alpine&os_version=3.16
✗ MEDIUM CVE-2022-4450 [Double Free]
https://dso.docker.com/cve/CVE-2022-4450
Affected range : <1.1.1t-r0
Fixed version : 1.1.1t-r0
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ MEDIUM CVE-2023-0215 [Use After Free]
https://dso.docker.com/cve/CVE-2023-0215
Affected range : <1.1.1t-r0
Fixed version : 1.1.1t-r0
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ HIGH CVE-2023-0286 [Access of Resource Using Incompatible Type ('Type Confusion')]
https://dso.docker.com/cve/CVE-2023-0286
Affected range : <1.1.1t-r0
Fixed version : 1.1.1t-r0
CVSS Score : 7.4
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
✗ MEDIUM CVE-2022-4304
https://dso.docker.com/cve/CVE-2022-4304
Affected range : <1.1.1t-r0
Fixed version : 1.1.1t-r0
CVSS Score : 5.9
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
In the Docker Scout report, the package is listed as pkg:alpine/openssl
and 4 CVEs are listed, of which 1 has high severity and 3 are medium. Similarly, they are all fixed in the version 1.1.1t-r0
.
Both commands also reported CVEs for Go packages, that are not included in the comparison here.
SARIF Output
SARIF, the Static Analysis Results Interchange Format, is a standard, JSON-based format for the output of static analysis tools. In this article, we used the SARIF output of a Docker image scan to show the vulnerabilities in a GitHub pull request.
With Docker Scout, one can specify SARIF output:
docker scout cves aerabi/git-weekly \
--format sarif \
--output git-weekly.sarif.json
Snyk's support for SARIF outputs didn't end up in the Docker Scan command though. To export a SARIF file with Snyk's engine, one should use Snyk's CLI directly.
The Docker Scan command does include a --json
flag that would output the CVEs in JSON format, but it’s not SARIF-compatible.
Licensing
As documented in Docker Scout's introduction article, it is only available for paid Docker subscriptions. Docker Scan uses one's Snyk account and hence Snyk's subscription model; it's also available for Snyk's free plan which allows one to perform 100 scans a month.
Final Words
Docker Scout is still an early-access product and will most likely have rapid changes in the short future.
This article was originally published on my Medium blog: aerabi.medium.com. This version is slightly different, as I have updated it with the latest Docker Desktop version that was published yesterday.