In my previous blog Automate docker security audits with docker bench for security, we learned about how to automate Docker Security Audits with Docker Bench for Security.
But, remember that Docker Bench isn’t an exhaustive test. There are other aspects to maintaining Docker security that shouldn’t be overlooked either.
A compromised container could give attackers a foothold into your systems, even if you have strong host-level security. You can reduce this risk by using Docker Bench, alongside active container vulnerability scanners like Docker scan (snyk), Grype, Trivy and Clair. These will help you identify problems within your containers, such as outdated dependencies that could be exploited.
Vulnerability scanning for Docker local images using 'docker scan'
Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on Snyk engine, providing users with visibility into the security posture of their local Dockerfiles and local images.
macpro$ docker scan --accept-license --version
Version: v0.16.0
Git commit: e135637
Provider: Snyk (1.809.0)
macpro$ docker scan postgres:12
\ Analyzing container dependencies for postgres:12
Testing postgres:12...
✗ Low severity vulnerability found in tar
Description: CVE-2005-2541
Info: https://snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
Introduced through: meta-common-packages@meta
From: meta-common-packages@meta > tar@1.34+dfsg-1
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in pcre3/libpcre3
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
From: pcre3/libpcre3@2:8.39-13
From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13
✗ Low severity vulnerability found in apt/libapt-pkg6.0
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-APT-522585
Introduced through: postgresql-12@12.9-1.pgdg110+1
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
From: postgresql-12@12.9-1.pgdg110+1 > postgresql-12/postgresql-client-12@12.9-1.pgdg110+1 > postgresql-common/postgresql-client-common@232.pgdg110+1 > pgdg-keyring@2018.2 > apt@2.2.4
✗ High severity vulnerability found in perl/perl-base
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
Introduced through: meta-common-packages@meta, perl/libperl5.32@5.32.1-4+deb11u2, perl@5.32.1-4+deb11u2, perl/perl-modules-5.32@5.32.1-4+deb11u2
From: meta-common-packages@meta > perl/perl-base@5.32.1-4+deb11u2
From: perl/libperl5.32@5.32.1-4+deb11u2
From: perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
and 4 more.
✗ High severity vulnerability found in libgcrypt20
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
Introduced through: gnupg2/dirmngr@2.2.27-2, gnupg2/gnupg@2.2.27-2, postgresql-12@12.9-1.pgdg110+1
From: gnupg2/dirmngr@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/dirmngr@2.2.27-2 > gnupg2/gpgconf@2.2.27-2 > libgcrypt20@1.8.7-6
From: gnupg2/gnupg@2.2.27-2 > gnupg2/gnupg-utils@2.2.27-2 > libgcrypt20@1.8.7-6
and 9 more.
✗ Critical severity vulnerability found in glibc/libc-bin
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-1296898
Introduced through: glibc/locales@2.31-13+deb11u2, postgresql-12@12.9-1.pgdg110+1, meta-common-packages@meta
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-bin@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2 > glibc/libc-l10n@2.31-13+deb11u2
From: glibc/locales@2.31-13+deb11u2
and 2 more.
Package manager: deb
Project name: docker-image|postgres
Docker image: postgres:12
Platform: linux/amd64
Base image: postgres:12.9-bullseye
Tested 147 dependencies for known vulnerabilities, found 48 vulnerabilities.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
You get below free scans per month:
Local vulnerability scans: 10 scans
Local vulnerability scans with Snyk: 200 scans
For more information refer to https://docs.docker.com/engine/scan
https://www.docker.com/pricing
A vulnerability scanner for container images and filesystems using Grype
Grype is a vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.
Installation
Recommended
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...or, you can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
Homebrew
brew tap anchore/grype
brew install grype
Note: Currently, Grype is built only for macOS and Linux.
macpro$ grype k8s.gcr.io/kube-scheduler:v1.22.5 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [3 packages]
✔ Scanned image [0 vulnerabilities]
No vulnerabilities found
macpro$ grype postgres:12 --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [718 packages]
✔ Scanned image [550 vulnerabilities]
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apt 2.2.4 CVE-2011-3374 Negligible
coreutils 8.32-4+b1 (won't fix) CVE-2016-2781 Low
coreutils 8.32-4+b1 CVE-2017-18018 Negligible
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
libapt-pkg6.0 2.2.4 CVE-2011-3374 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-bin 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-bin 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-bin 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-bin 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-bin 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-bin 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc-l10n 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc-l10n 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc-l10n 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc-l10n 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libc6 2.31-13+deb11u2 CVE-2021-43396 Negligible
libc6 2.31-13+deb11u2 CVE-2021-3998 Unknown
libc6 2.31-13+deb11u2 CVE-2021-3999 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
libc6 2.31-13+deb11u2 CVE-2010-4756 Negligible
libc6 2.31-13+deb11u2 CVE-2018-20796 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u2 CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u2 CVE-2019-9192 Negligible
libc6 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
libgcrypt20 1.8.7-6 (won't fix) CVE-2021-33560 High
libgcrypt20 1.8.7-6 CVE-2018-6829 Negligible
libgnutls30 3.7.1-5 CVE-2011-3389 Medium
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libk5crypto3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libkrb5-3 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libkrb5support0 1.18.3-6+deb11u1 CVE-2004-0971 Negligible
libkrb5support0 1.18.3-6+deb11u1 CVE-2018-5709 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2015-3276 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2017-14159 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2017-17740 Negligible
libldap-2.4-2 2.4.57+dfsg-3 CVE-2020-15719 Negligible
libncursesw6 6.2+20201114-2 CVE-2021-39537 Negligible
libpcre3 2:8.39-13 CVE-2017-11164 Negligible
libpcre3 2:8.39-13 CVE-2017-16231 Negligible
libpcre3 2:8.39-13 CVE-2017-7245 Negligible
libpcre3 2:8.39-13 CVE-2017-7246 Negligible
libpcre3 2:8.39-13 CVE-2019-20838 Negligible
libperl5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
libperl5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
libsepol1 3.1-1 (won't fix) CVE-2021-36084 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36085 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36086 Low
libsepol1 3.1-1 (won't fix) CVE-2021-36087 Low
libsqlite3-0 3.34.1-3 CVE-2021-36690 Negligible
libssl1.1 1.1.1k-1+deb11u1 CVE-2007-6755 Negligible
libssl1.1 1.1.1k-1+deb11u1 CVE-2010-0928 Negligible
libsystemd0 247.3-6 CVE-2013-4392 Negligible
libsystemd0 247.3-6 CVE-2020-13529 Negligible
libsystemd0 247.3-6 (won't fix) CVE-2021-3997 Unknown
libtinfo6 6.2+20201114-2 CVE-2021-39537 Negligible
libudev1 247.3-6 CVE-2013-4392 Negligible
libudev1 247.3-6 CVE-2020-13529 Negligible
libudev1 247.3-6 (won't fix) CVE-2021-3997 Unknown
libxslt1.1 1.1.34-4 CVE-2015-9019 Negligible
locales 2.31-13+deb11u2 CVE-2021-43396 Negligible
locales 2.31-13+deb11u2 CVE-2021-3998 Unknown
locales 2.31-13+deb11u2 CVE-2021-3999 Unknown
locales 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Unknown
locales 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Unknown
locales 2.31-13+deb11u2 CVE-2010-4756 Negligible
locales 2.31-13+deb11u2 CVE-2018-20796 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010022 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010023 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010024 Negligible
locales 2.31-13+deb11u2 CVE-2019-1010025 Negligible
locales 2.31-13+deb11u2 CVE-2019-9192 Negligible
locales 2.31-13+deb11u2 (won't fix) CVE-2021-33574 Critical
login 1:4.8.1-1 CVE-2007-5686 Negligible
login 1:4.8.1-1 CVE-2013-4235 Negligible
login 1:4.8.1-1 CVE-2019-19882 Negligible
ncurses-base 6.2+20201114-2 CVE-2021-39537 Negligible
ncurses-bin 6.2+20201114-2 CVE-2021-39537 Negligible
openssl 1.1.1k-1+deb11u1 CVE-2007-6755 Negligible
openssl 1.1.1k-1+deb11u1 CVE-2010-0928 Negligible
passwd 1:4.8.1-1 CVE-2007-5686 Negligible
passwd 1:4.8.1-1 CVE-2013-4235 Negligible
passwd 1:4.8.1-1 CVE-2019-19882 Negligible
perl 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-base 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-base 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
perl-modules-5.32 5.32.1-4+deb11u2 CVE-2011-4116 Negligible
perl-modules-5.32 5.32.1-4+deb11u2 (won't fix) CVE-2020-16156 High
tar 1.34+dfsg-1 CVE-2005-2541 Negligible
Conclusion
Hardening a Docker image involves scanning it for vulnerabilities, building a new image with additional mitigating protections, then using that version as the base for your application. You need to scan and rebuild your images regularly to make sure they include latest packages and patches. It’s a best practice to incorporate hardening into your image build pipeline.
Remember that container security best practices don’t just include the delivered applications and container images themselves. You also need to include the full component stack used for building, distributing, and specifically executing the container.
One of the key points of cloud-native security is addressing container security risks as soon as possible. Doing it later in the development life cycle slows down the pace of cloud adoption, while raising security and compliance risks.